From c223517102e93c5be36bb119b77090477b182148 Mon Sep 17 00:00:00 2001
From: Corbin Bartsch <me@cbarts.net>
Date: Wed, 13 Apr 2022 22:37:15 -0400
Subject: [PATCH] Enabled HTTP Strict Transport Security by default

---
 defaults/main.yaml                      | 2 ++
 templates/apache2_ssl_nextcloud.conf.j2 | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/defaults/main.yaml b/defaults/main.yaml
index fe01324..7314f71 100644
--- a/defaults/main.yaml
+++ b/defaults/main.yaml
@@ -14,6 +14,8 @@ nextcloud_www_path: '/var/www/nextcloud/'
 nextcloud_ssl: true
 nextcloud_ssl_certificate_path: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
 nextcloud_ssl_key_path: "/etc/ssl/private/ssl-cert-snakeoil.key"
+nextcloud_hsts: true
+nextcloud_hsts_preload: false
 
 # Apache configuration
 
diff --git a/templates/apache2_ssl_nextcloud.conf.j2 b/templates/apache2_ssl_nextcloud.conf.j2
index c12d3d4..6f99d3d 100644
--- a/templates/apache2_ssl_nextcloud.conf.j2
+++ b/templates/apache2_ssl_nextcloud.conf.j2
@@ -31,6 +31,12 @@
 		<FilesMatch "\.php$">
 			SSLOptions +StdEnvVars
 		</FilesMatch>
+
+{% if nextcloud_hsts %}
+		<IfModule mod_headers.c>
+			Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains{% if nextcloud_hsts_preload %}; preload{% endif %}"
+		</IfModule>
+{% endif %}
 	</VirtualHost>
 </IfModule>