From 3bdbe66fe47e38692b2a0eabd052255dafadbc1c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net>
Date: Tue, 12 Oct 2021 13:53:08 +0100
Subject: [PATCH] nginx: Enable HSTS

---
 configuration/default.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/configuration/default.nix b/configuration/default.nix
index 683b144..8600070 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -63,7 +63,10 @@
         lib.recursiveUpdate {
           forceSSL = true;
           enableACME = true;
-          locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; };
+          locations."/".proxyPass = "http://127.0.0.1:${toString port}";
+          extraConfig = ''
+            add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+          '';
         } extra;
       domain = config.services.nginx.domain;
     in {