diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-01-31 18:54:09 +0100 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-01-31 18:54:09 +0100 |
| commit | 8a8d73598a08d94a515f51240ac262f003d3a6ba (patch) | |
| tree | d2f8e089320506ac46d717f990a48d1e0abff197 | |
| parent | f2296df8350e3f1b0c1f6b77e023e1faa02d82c8 (diff) | |
| download | nixos-8a8d73598a08d94a515f51240ac262f003d3a6ba.tar nixos-8a8d73598a08d94a515f51240ac262f003d3a6ba.tar.gz nixos-8a8d73598a08d94a515f51240ac262f003d3a6ba.tar.bz2 nixos-8a8d73598a08d94a515f51240ac262f003d3a6ba.tar.xz nixos-8a8d73598a08d94a515f51240ac262f003d3a6ba.zip | |
...
| -rw-r--r-- | hosts/surtr/http.nix | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix index 11441e2c..b8f57268 100644 --- a/hosts/surtr/http.nix +++ b/hosts/surtr/http.nix | |||
| @@ -41,7 +41,6 @@ | |||
| 41 | }; | 41 | }; |
| 42 | }; | 42 | }; |
| 43 | }; | 43 | }; |
| 44 | users.users."nginx".extraGroups = [ "shadow" ]; | ||
| 45 | security.acme.domains."webdav.141.li" = { | 44 | security.acme.domains."webdav.141.li" = { |
| 46 | zone = "141.li"; | 45 | zone = "141.li"; |
| 47 | certCfg = { | 46 | certCfg = { |
| @@ -53,6 +52,7 @@ | |||
| 53 | systemd.services.nginx = { | 52 | systemd.services.nginx = { |
| 54 | preStart = lib.mkForce config.services.nginx.preStart; | 53 | preStart = lib.mkForce config.services.nginx.preStart; |
| 55 | serviceConfig = { | 54 | serviceConfig = { |
| 55 | SupplementaryGroups = [ "shadow" ]; | ||
| 56 | ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; | 56 | ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; |
| 57 | LoadCredential = [ | 57 | LoadCredential = [ |
| 58 | "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem" | 58 | "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem" |
| @@ -61,6 +61,20 @@ | |||
| 61 | RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ]; | 61 | RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ]; |
| 62 | RuntimeDirectoryMode = "0750"; | 62 | RuntimeDirectoryMode = "0750"; |
| 63 | 63 | ||
| 64 | NoNewPrivileges = lib.mkForce false; | ||
| 65 | PrivateDevices = lib.mkForce false; | ||
| 66 | ProtectHostname = lib.mkForce false; | ||
| 67 | ProtectKernelTunables = lib.mkForce false; | ||
| 68 | ProtectKernelModules = lib.mkForce false; | ||
| 69 | RestrictAddressFamilies = lib.mkForce [ ]; | ||
| 70 | LockPersonality = lib.mkForce false; | ||
| 71 | MemoryDenyWriteExecute = lib.mkForce false; | ||
| 72 | RestrictRealtime = lib.mkForce false; | ||
| 73 | RestrictSUIDSGID = lib.mkForce false; | ||
| 74 | SystemCallArchitectures = lib.mkForce ""; | ||
| 75 | ProtectClock = lib.mkForce false; | ||
| 76 | ProtectKernelLogs = lib.mkForce false; | ||
| 77 | RestrictNamespaces = lib.mkForce false; | ||
| 64 | SystemCallFilter = lib.mkForce ""; | 78 | SystemCallFilter = lib.mkForce ""; |
| 65 | ReadWritePaths = [ "/srv/files" ]; | 79 | ReadWritePaths = [ "/srv/files" ]; |
| 66 | }; | 80 | }; |