From 2bb22477163af34638828b09afa77c259c34935b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Benjamin=20Yule=20B=C3=A4dorf?= <git@benjaminbaedorf.eu>
Date: Fri, 22 Mar 2024 12:38:29 +0100
Subject: [PATCH] website: add security.txt

Ref: https://git.pub.solar/pub-solar/legal/issues/11
---
 hosts/nachtigall/apps/nginx-website.nix | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/hosts/nachtigall/apps/nginx-website.nix b/hosts/nachtigall/apps/nginx-website.nix
index 4212350..3611d48 100644
--- a/hosts/nachtigall/apps/nginx-website.nix
+++ b/hosts/nachtigall/apps/nginx-website.nix
@@ -1,6 +1,4 @@
-{ ... }:
-
-{
+{ lib, ... }: {
   systemd.tmpfiles.rules = [
     "d '/srv/www/pub.solar' 0750 hakkonaut hakkonaut - -"
   ];
@@ -54,6 +52,22 @@
           '';
         };
 
+        # Responsible disclosure information https://securitytxt.org/
+        "/.well-known/security.txt" = let
+            securityTXT = lib.lists.foldr (a: b: a + "\n" + b) "" [
+              "Contact: mailto:admins@pub.solar"
+              "Expires: 2025-01-04T23:00:00.000Z"
+              "Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/8A8987ADE3736C8CA2EB315A9B809EBBDD62BAE3"
+              "Preferred-Languages: en,de"
+              "Canonical: https://pub.solar/.well-known/security.txt"
+            ];
+        in {
+          extraConfig = ''
+            add_header Content-Type text/plain;
+            return 200 '${securityTXT}';
+          '';
+        };
+
         "/satzung" = {
           extraConfig = ''
             return 302 https://cloud.pub.solar/s/iaKqiW25QJpHPYs;