diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-09-14 16:06:00 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-09-14 16:06:00 +0200 |
commit | 410a63cf1baf627a0b99c34a955b3d02efabb48f (patch) | |
tree | 0b8a0f16f6de3ea7e1495c373b647c3966e3f4fb /hosts/surtr/matrix/default.nix | |
parent | b931543508377c0e48a6801e4ea217eb523e2b03 (diff) | |
download | nixos-410a63cf1baf627a0b99c34a955b3d02efabb48f.tar nixos-410a63cf1baf627a0b99c34a955b3d02efabb48f.tar.gz nixos-410a63cf1baf627a0b99c34a955b3d02efabb48f.tar.bz2 nixos-410a63cf1baf627a0b99c34a955b3d02efabb48f.tar.xz nixos-410a63cf1baf627a0b99c34a955b3d02efabb48f.zip |
...
Diffstat (limited to 'hosts/surtr/matrix/default.nix')
-rw-r--r-- | hosts/surtr/matrix/default.nix | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index e3a52f9a..46c2f338 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix | |||
@@ -111,7 +111,7 @@ with lib; | |||
111 | ProtectClock = true; | 111 | ProtectClock = true; |
112 | ProtectHostname = true; | 112 | ProtectHostname = true; |
113 | 113 | ||
114 | ProtectHome = "tmpfs"; | 114 | ProtectHome = true; |
115 | ProtectKernelLogs = true; | 115 | ProtectKernelLogs = true; |
116 | 116 | ||
117 | ProtectProc = "invisible"; | 117 | ProtectProc = "invisible"; |
@@ -123,7 +123,7 @@ with lib; | |||
123 | 123 | ||
124 | SystemCallArchitectures = "native"; | 124 | SystemCallArchitectures = "native"; |
125 | SystemCallFilter = ["@system-service" "~@privileged @resources @obsolete"]; | 125 | SystemCallFilter = ["@system-service" "~@privileged @resources @obsolete"]; |
126 | 126 | ||
127 | RestrictSUIDSGID = true; | 127 | RestrictSUIDSGID = true; |
128 | RemoveIPC = true; | 128 | RemoveIPC = true; |
129 | NoNewPrivileges = true; | 129 | NoNewPrivileges = true; |
@@ -174,7 +174,7 @@ with lib; | |||
174 | ${corsHeaders} | 174 | ${corsHeaders} |
175 | ''; | 175 | ''; |
176 | return = "200 '${builtins.toJSON { | 176 | return = "200 '${builtins.toJSON { |
177 | "m.server" = "synapse.li:443"; | 177 | "m.server" = "synapse.li:443"; |
178 | }}'"; | 178 | }}'"; |
179 | }; | 179 | }; |
180 | "= /.well-known/matrix/client" = { | 180 | "= /.well-known/matrix/client" = { |
@@ -198,7 +198,7 @@ with lib; | |||
198 | sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; | 198 | sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; |
199 | extraConfig = '' | 199 | extraConfig = '' |
200 | add_header Strict-Transport-Security "max-age=63072000" always; | 200 | add_header Strict-Transport-Security "max-age=63072000" always; |
201 | 201 | ||
202 | add_header X-Frame-Options SAMEORIGIN; | 202 | add_header X-Frame-Options SAMEORIGIN; |
203 | add_header X-Content-Type-Options nosniff; | 203 | add_header X-Content-Type-Options nosniff; |
204 | add_header X-XSS-Protection "1; mode=block"; | 204 | add_header X-XSS-Protection "1; mode=block"; |
@@ -240,7 +240,7 @@ with lib; | |||
240 | "synapse.li".certCfg = { | 240 | "synapse.li".certCfg = { |
241 | postRun = '' | 241 | postRun = '' |
242 | ${pkgs.systemd}/bin/systemctl try-restart nginx.service | 242 | ${pkgs.systemd}/bin/systemctl try-restart nginx.service |
243 | ''; | 243 | ''; |
244 | }; | 244 | }; |
245 | }; | 245 | }; |
246 | 246 | ||