homelab tinkering 9

modules/server/vaultwarden/default.nix

@@ -30,13 +30,18 @@ in {
     };
 
     services.caddy.virtualHosts."vault.cnst.dev".extraConfig = ''
-      reverse_proxy ${vcfg.ROCKET_ADDRESS}:${toString vcfg.ROCKET_PORT}
+      log {
-      header {
+        level INFO
-        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        output file {$LOG_FILE} {
-        X-Content-Type-Options "nosniff"
+          roll_size 10MB
-        X-Frame-Options "SAMEORIGIN"
+          roll_keep 10
-        Referrer-Policy "strict-origin-when-cross-origin"
+        }
-        Permissions-Policy "geolocation=(), microphone=(), camera=()"
+      }
+
+      encode zstd gzip
+
+      reverse_proxy ${vcfg.ROCKET_ADDRESS}:${toString vcfg.ROCKET_PORT} {
+        header_up X-Real-IP {remote_host}
       }
     '';