diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-03-01 12:29:58 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-03-01 12:29:58 +0100 |
commit | eb2bfa6a42c3435bbe5565a0eb74bd9802f8be9d (patch) | |
tree | 03c9f1c79e56eed00ca03c8891fb9e5c42bb8f23 | |
parent | 3170a30f7dee00376af1e4e4d5229a6045a78388 (diff) | |
download | nixos-eb2bfa6a42c3435bbe5565a0eb74bd9802f8be9d.tar nixos-eb2bfa6a42c3435bbe5565a0eb74bd9802f8be9d.tar.gz nixos-eb2bfa6a42c3435bbe5565a0eb74bd9802f8be9d.tar.bz2 nixos-eb2bfa6a42c3435bbe5565a0eb74bd9802f8be9d.tar.xz nixos-eb2bfa6a42c3435bbe5565a0eb74bd9802f8be9d.zip |
surtr: matrix: isolation
-rw-r--r-- | hosts/surtr/matrix/default.nix | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index 0c48a243..9376620c 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix | |||
@@ -80,6 +80,10 @@ with lib; | |||
80 | }; | 80 | }; |
81 | 81 | ||
82 | systemd.services.matrix-synapse = { | 82 | systemd.services.matrix-synapse = { |
83 | unitConfig = { | ||
84 | wants = ["postgresql.service"]; | ||
85 | }; | ||
86 | |||
83 | serviceConfig = { | 87 | serviceConfig = { |
84 | LoadCredential = [ | 88 | LoadCredential = [ |
85 | "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem" | 89 | "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem" |
@@ -87,6 +91,46 @@ with lib; | |||
87 | "registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}" | 91 | "registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}" |
88 | "turn-secret.yaml:${config.sops.secrets."matrix-synapse-turn-secret.yaml".path}" | 92 | "turn-secret.yaml:${config.sops.secrets."matrix-synapse-turn-secret.yaml".path}" |
89 | ]; | 93 | ]; |
94 | |||
95 | RuntimeDirectory = "matrix-synapse"; | ||
96 | StateDirectory = "matrix-synapse"; | ||
97 | |||
98 | PrivateTmp = true; | ||
99 | PrivateDevices = true; | ||
100 | |||
101 | CapabilityBoundingSet = []; | ||
102 | AmbientCapabilities = []; | ||
103 | |||
104 | ProtectSystem = "strict"; | ||
105 | ProtectKernelTunables = true; | ||
106 | ProtectKernelModules = true; | ||
107 | ProtectControlGroups = true; | ||
108 | ProtectClock = true; | ||
109 | ProtectHostname = true; | ||
110 | |||
111 | ProtectHome = "tmpfs"; | ||
112 | ProtectKernelLogs = true; | ||
113 | |||
114 | ProtectProc = "invisible"; | ||
115 | ProcSubset = "pid"; | ||
116 | |||
117 | PrivateNetwork = false; | ||
118 | RestrictAddressFamily = ["AF_INET" "AF_INET6" "AF_UNIX"]; | ||
119 | IPAddressAllow = "any"; | ||
120 | |||
121 | SystemCallArchitectures = "native"; | ||
122 | SystemCallFilter = ["@system-service" "~@privileged @resources @obsolete"]; | ||
123 | |||
124 | RestrictSUIDSGID = true; | ||
125 | RemoveIPC = true; | ||
126 | NoNewPrivileges = true; | ||
127 | RestrictRealtime = true; | ||
128 | RestrictNamespaces = true; | ||
129 | LockPersonality = true; | ||
130 | PrivateUsers = true; | ||
131 | MemoryDenyWriteExecute = false; | ||
132 | |||
133 | ReadWritePaths = ["/var/run/postgresql"]; | ||
90 | }; | 134 | }; |
91 | }; | 135 | }; |
92 | 136 | ||