From abb9050f0c07764dcfd3bc1841d5cc6da9894117 Mon Sep 17 00:00:00 2001
From: "Chinmay D. Pai" <chinmaydpai@gmail.com>
Date: Sun, 6 Oct 2024 17:49:49 +0530
Subject: [PATCH] chore: remove default CSP and add CSP for immich

Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
---
 modules/nixos/services/immich/default.nix | 10 ++++++++++
 modules/nixos/services/nginx/default.nix  |  3 ---
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/modules/nixos/services/immich/default.nix b/modules/nixos/services/immich/default.nix
index 2bb3c6e..62bd9fc 100644
--- a/modules/nixos/services/immich/default.nix
+++ b/modules/nixos/services/immich/default.nix
@@ -43,6 +43,16 @@
               proxy_connect_timeout 600;
               proxy_read_timeout 600;
               proxy_send_timeout 600;
+
+              add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://${cfg.domain} https://static.immich.cloud https://tiles.immich.cloud 'sha256-h5wSYKWbmHcoYTdkHNNguMswVNCphpvwW+uxooXhF/Y=' 'sha256-+tEpShk9UPRYp31qABDDu+0EulxL6LIbIZ035p8TTss='; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' https://${cfg.domain} https://tiles.immich.cloud https://static.immich.cloud; frame-ancestors 'self'; worker-src 'self' blob:;" always;
+
+              add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
+              add_header Referrer-Policy "no-referrer-when-downgrade" always;
+              add_header Cross-Origin-Embedder-Policy "require-corp" always;
+              add_header Cross-Origin-Opener-Policy "same-origin" always;
+              add_header Cross-Origin-Resource-Policy "same-origin" always;
+              add_header X-Frame-Options "SAMEORIGIN" always;
+              add_header X-Content-Type-Options "nosniff" always;
             '';
           };
         };
diff --git a/modules/nixos/services/nginx/default.nix b/modules/nixos/services/nginx/default.nix
index 5850903..10c1f9b 100644
--- a/modules/nixos/services/nginx/default.nix
+++ b/modules/nixos/services/nginx/default.nix
@@ -35,9 +35,6 @@
             # Strict Transport Security (HSTS): Yes
             add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
 
-            # Enable CSP
-            add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-
             # Minimize information leaked to other domains
             add_header 'Referrer-Policy' 'origin-when-cross-origin';