Move some hidden stuff to the src dir

2 files changed, 43 insertions, 0 deletions

diff --git a/src/.docker/envvars.sh b/src/.docker/envvars.sh
new file mode 100644
index 0000000..71f47e1
--- /dev/null
+++ b/src/.docker/envvars.sh
@@ -0,0 +1,14 @@
+#! /usr/bin/env sh
+
+main()
+{
+	mkvar intendedHost "${INTENDED_HOST:-localhost}"
+	mkvar intendedHostProto "${INTENDED_HOST_PROTO:-http}"
+}
+
+mkvar()
+{
+	printf 'var.%s="%s"\n' "$1" "$2"
+}
+
+main "$@"
diff --git a/src/.docker/lighttpd.conf b/src/.docker/lighttpd.conf
new file mode 100644
index 0000000..1b480ca
--- /dev/null
+++ b/src/.docker/lighttpd.conf
@@ -0,0 +1,29 @@
+server.modules += (
+	"mod_setenv",
+	"mod_redirect",
+)
+
+setenv.add-response-header = (
+	"Content-Security-Policy" => "default-src 'self'; img-src https:; object-src 'self'; script-src 'self'; style-src 'self'",
+	"Referrer-Policy" => "no-referrer",
+	"X-Content-Type-Options" => "nosniff",
+	"X-Frame-Options" => "SAMEORIGIN",
+	"X-Permitted-Cross-Domain-Policies" => "none",
+	"X-XSS-Protection" => "1; mode=block",
+)
+
+include_shell "/usr/local/bin/lighttpd-env.sh"
+
+# Redirect to the "official" domain
+$HTTP["host"] != var.intendedHost {
+	$HTTP["url"] !~ "^/.well-known" {
+		url.redirect = ( "^/(.*)" => var.intendedHostProto + "://" + var.intendedHost + "/$1" )
+	}
+}
+
+# Add CORS header for WKP
+$HTTP["url"] =~ "^/.well-known/openpgpkey" {
+	setenv.add-response-header = (
+		"Access-Control-Allow-Origin" => "*",
+	)
+}