muon/flake
1
0
Fork 0
mirror of https://codeberg.org/muon/home.git synced 2025-12-06 08:07:45 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix chat

Browse source
This commit is contained in:
muon 2025-01-27 20:55:47 +00:00
parent 4e24f37ab8
commit d52d63ea69
3 changed files with 22 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

1
hosts/muho/configuration.nix
View file

@ -40,6 +40,7 @@ in {
mods.server.vault.enable = true; mods.server.vault.enable = true;
mods.server.git.enable = true; mods.server.git.enable = true;
mods.server.cal.enable = true; mods.server.cal.enable = true;
mods.server.chat.enable = true;
mods.tailscale.enable = true; mods.tailscale.enable = true;
mods.wireguard.id = 3; mods.wireguard.id = 3;

10
modules/nixos/server/chat.nix
View file

@ -21,6 +21,16 @@ in with lib; {
services.open-webui = { services.open-webui = {
enable = true; enable = true;
host = "0.0.0.0";
environment = {
ANONYMIZED_TELEMETRY = "False";
DO_NOT_TRACK = "True";
SCARF_NO_ANALYTICS = "True";
OLLAMA_API_BASE_URL = "http://127.0.0.1:11434";
# Disable authentication
WEBUI_AUTH = "False";
};
inherit port; inherit port;
}; };

14
modules/nixos/server/nginx.nix
View file

@ -53,16 +53,16 @@ in with lib; {
# add_header Strict-Transport-Security $hsts_header; # add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services. # Enable CSP for your services.
add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains # Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin'; # add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame # Disable embedding as a frame
add_header X-Frame-Options DENY; add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks) # Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff; # add_header X-Content-Type-Options nosniff;
# This might create errors # This might create errors
# proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
@ -72,6 +72,14 @@ in with lib; {
# This is necessary to pass the correct IP to be hashed # This is necessary to pass the correct IP to be hashed
real_ip_header X-Real-IP; real_ip_header X-Real-IP;
# security
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
''; '';
virtualHosts = let virtualHosts = let