summaryrefslogtreecommitdiff
path: root/hosts/surtr/matrix/default.nix
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-09-14 16:06:00 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2022-09-14 16:06:00 +0200
commit410a63cf1baf627a0b99c34a955b3d02efabb48f (patch)
tree0b8a0f16f6de3ea7e1495c373b647c3966e3f4fb /hosts/surtr/matrix/default.nix
parentb931543508377c0e48a6801e4ea217eb523e2b03 (diff)
downloadnixos-410a63cf1baf627a0b99c34a955b3d02efabb48f.tar
nixos-410a63cf1baf627a0b99c34a955b3d02efabb48f.tar.gz
nixos-410a63cf1baf627a0b99c34a955b3d02efabb48f.tar.bz2
nixos-410a63cf1baf627a0b99c34a955b3d02efabb48f.tar.xz
nixos-410a63cf1baf627a0b99c34a955b3d02efabb48f.zip
...
Diffstat (limited to 'hosts/surtr/matrix/default.nix')
-rw-r--r--hosts/surtr/matrix/default.nix10
1 files changed, 5 insertions, 5 deletions
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
index e3a52f9a..46c2f338 100644
--- a/hosts/surtr/matrix/default.nix
+++ b/hosts/surtr/matrix/default.nix
@@ -111,7 +111,7 @@ with lib;
111 ProtectClock = true; 111 ProtectClock = true;
112 ProtectHostname = true; 112 ProtectHostname = true;
113 113
114 ProtectHome = "tmpfs"; 114 ProtectHome = true;
115 ProtectKernelLogs = true; 115 ProtectKernelLogs = true;
116 116
117 ProtectProc = "invisible"; 117 ProtectProc = "invisible";
@@ -123,7 +123,7 @@ with lib;
123 123
124 SystemCallArchitectures = "native"; 124 SystemCallArchitectures = "native";
125 SystemCallFilter = ["@system-service" "~@privileged @resources @obsolete"]; 125 SystemCallFilter = ["@system-service" "~@privileged @resources @obsolete"];
126 126
127 RestrictSUIDSGID = true; 127 RestrictSUIDSGID = true;
128 RemoveIPC = true; 128 RemoveIPC = true;
129 NoNewPrivileges = true; 129 NoNewPrivileges = true;
@@ -174,7 +174,7 @@ with lib;
174 ${corsHeaders} 174 ${corsHeaders}
175 ''; 175 '';
176 return = "200 '${builtins.toJSON { 176 return = "200 '${builtins.toJSON {
177 "m.server" = "synapse.li:443"; 177 "m.server" = "synapse.li:443";
178 }}'"; 178 }}'";
179 }; 179 };
180 "= /.well-known/matrix/client" = { 180 "= /.well-known/matrix/client" = {
@@ -198,7 +198,7 @@ with lib;
198 sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; 198 sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem";
199 extraConfig = '' 199 extraConfig = ''
200 add_header Strict-Transport-Security "max-age=63072000" always; 200 add_header Strict-Transport-Security "max-age=63072000" always;
201 201
202 add_header X-Frame-Options SAMEORIGIN; 202 add_header X-Frame-Options SAMEORIGIN;
203 add_header X-Content-Type-Options nosniff; 203 add_header X-Content-Type-Options nosniff;
204 add_header X-XSS-Protection "1; mode=block"; 204 add_header X-XSS-Protection "1; mode=block";
@@ -240,7 +240,7 @@ with lib;
240 "synapse.li".certCfg = { 240 "synapse.li".certCfg = {
241 postRun = '' 241 postRun = ''
242 ${pkgs.systemd}/bin/systemctl try-restart nginx.service 242 ${pkgs.systemd}/bin/systemctl try-restart nginx.service
243 ''; 243 '';
244 }; 244 };
245 }; 245 };
246 246