vueko/element-web: Make PDF download work

machines/vueko/services/element-web.nix

@@ -1,5 +1,18 @@
 { lib, pkgs, ... }:
-
+let
+  # This uses
+  # https://github.com/vector-im/element-web#configuration-best-practices
+  # but allows to disable the frame-ancestors rule for /usercontent/.
+  mkSecurityHeaders = withFrameOptions: ''
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options SAMEORIGIN;
+    add_header X-XSS-Protection "1; mode=block";
+  '' + lib.optionalString withFrameOptions ''
+    add_header Content-Security-Policy "frame-ancestors 'none'";
+  '' + lib.optionalString (!withFrameOptions) ''
+    add_header Content-Security-Policy "frame-ancestors 'self'";
+  '';
+in
 {
   services.nginx.virtualHosts."chat.sbruder.de" = {
     enableACME = true;
@@ -7,13 +20,8 @@
 
     root = pkgs.element-web;
 
-    extraConfig = ''
+    extraConfig = mkSecurityHeaders true;
-      # https://github.com/vector-im/element-web#configuration-best-practices
+    locations."/usercontent/".extraConfig = mkSecurityHeaders false;
-      add_header Content-Security-Policy "frame-ancestors 'none'";
-      add_header X-Content-Type-Options nosniff;
-      add_header X-Frame-Options SAMEORIGIN;
-      add_header X-XSS-Protection "1; mode=block";
-    '';
 
     # nixpkgs’s override mechanism doesn’t allow overriding of all options
     locations."=/config.chat.sbruder.de.json".alias = pkgs.writeText "config.chat.sbruder.de.json" (lib.generators.toJSON { } {