From 2d0d03f84542f1009b8939d623ee6ebb4b690776 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@subzero.xyz>
Date: Mon, 24 Nov 2025 13:54:52 +0100
Subject: [PATCH] chore(nix): enhance Nginx proxy settings for Headscale

- Added extra HTTP headers and security configurations in the Nginx proxy for Headscale.
- Improves websocket handling, security headers, and HTTPS redirection.
---
 systems/x86_64-linux/mx/headscale.nix | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/systems/x86_64-linux/mx/headscale.nix b/systems/x86_64-linux/mx/headscale.nix
index b7508df..d42a5b4 100644
--- a/systems/x86_64-linux/mx/headscale.nix
+++ b/systems/x86_64-linux/mx/headscale.nix
@@ -28,6 +28,18 @@ in
       locations."/" = {
         proxyPass = "http://localhost:${toString config.services.headscale.port}";
         proxyWebsockets = true;
+        extraConfig = ''
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection $connection_upgrade;
+          proxy_set_header Host $server_name;
+          proxy_redirect http:// https://;
+          proxy_buffering off;
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+        '';
       };
     };
   };