diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-12-27 15:28:59 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-12-27 15:28:59 +0100 |
commit | 17d24a633e75592f8b0dd5346c919c261332c90c (patch) | |
tree | 01eceef16b07fdb0e440e060bffb8ac38e222d93 /hosts/surtr/http/webdav | |
parent | 47c4a1e7f3074ca10412abe5efd3a01ed6ba099e (diff) | |
download | nixos-17d24a633e75592f8b0dd5346c919c261332c90c.tar nixos-17d24a633e75592f8b0dd5346c919c261332c90c.tar.gz nixos-17d24a633e75592f8b0dd5346c919c261332c90c.tar.bz2 nixos-17d24a633e75592f8b0dd5346c919c261332c90c.tar.xz nixos-17d24a633e75592f8b0dd5346c919c261332c90c.zip |
kleen.consulting
Diffstat (limited to 'hosts/surtr/http/webdav')
-rw-r--r-- | hosts/surtr/http/webdav/default.nix | 29 |
1 files changed, 24 insertions, 5 deletions
diff --git a/hosts/surtr/http/webdav/default.nix b/hosts/surtr/http/webdav/default.nix index 1da411d3..0443bc97 100644 --- a/hosts/surtr/http/webdav/default.nix +++ b/hosts/surtr/http/webdav/default.nix | |||
@@ -76,11 +76,30 @@ in { | |||
76 | }; | 76 | }; |
77 | }; | 77 | }; |
78 | 78 | ||
79 | systemd.services.nginx.serviceConfig.LoadCredential = [ | 79 | systemd.services.nginx.serviceConfig = { |
80 | "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem" | 80 | LoadCredential = [ |
81 | "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem" | 81 | "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem" |
82 | "webdav.141.li.chain.pem:${config.security.acme.certs."webdav.141.li".directory}/chain.pem" | 82 | "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem" |
83 | ]; | 83 | "webdav.141.li.chain.pem:${config.security.acme.certs."webdav.141.li".directory}/chain.pem" |
84 | ]; | ||
85 | |||
86 | NoNewPrivileges = lib.mkForce false; | ||
87 | PrivateDevices = lib.mkForce false; | ||
88 | ProtectHostname = lib.mkForce false; | ||
89 | ProtectKernelTunables = lib.mkForce false; | ||
90 | ProtectKernelModules = lib.mkForce false; | ||
91 | RestrictAddressFamilies = lib.mkForce [ ]; | ||
92 | LockPersonality = lib.mkForce false; | ||
93 | MemoryDenyWriteExecute = lib.mkForce false; | ||
94 | RestrictRealtime = lib.mkForce false; | ||
95 | RestrictSUIDSGID = lib.mkForce false; | ||
96 | SystemCallArchitectures = lib.mkForce ""; | ||
97 | ProtectClock = lib.mkForce false; | ||
98 | ProtectKernelLogs = lib.mkForce false; | ||
99 | RestrictNamespaces = lib.mkForce false; | ||
100 | SystemCallFilter = lib.mkForce ""; | ||
101 | ReadWritePaths = [ "/srv/files" ]; | ||
102 | }; | ||
84 | 103 | ||
85 | 104 | ||
86 | # services.uwsgi.instance.vassals.webdav = { | 105 | # services.uwsgi.instance.vassals.webdav = { |