...

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-09-14 16:06:00 +0200
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-09-14 16:06:00 +0200
commit: 410a63cf1baf627a0b99c34a955b3d02efabb48f (patch)
tree: 0b8a0f16f6de3ea7e1495c373b647c3966e3f4fb /hosts/surtr/matrix
parent: b931543508377c0e48a6801e4ea217eb523e2b03 (diff)
download: nixos-410a63cf1baf627a0b99c34a955b3d02efabb48f.tar
nixos-410a63cf1baf627a0b99c34a955b3d02efabb48f.tar.gz
nixos-410a63cf1baf627a0b99c34a955b3d02efabb48f.tar.bz2
nixos-410a63cf1baf627a0b99c34a955b3d02efabb48f.tar.xz
nixos-410a63cf1baf627a0b99c34a955b3d02efabb48f.zip
1 files changed, 5 insertions, 5 deletions
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
index e3a52f9a..46c2f338 100644
--- a/hosts/surtr/matrix/default.nix
+++ b/hosts/surtr/matrix/default.nix
@@ -111,7 +111,7 @@ with lib;
        ProtectClock = true;
        ProtectHostname = true;
-        ProtectHome = "tmpfs";
+        ProtectHome = true;
        ProtectKernelLogs = true;
        ProtectProc = "invisible";
@@ -123,7 +123,7 @@ with lib;
        SystemCallArchitectures = "native";
        SystemCallFilter = ["@system-service" "~@privileged @resources @obsolete"];
-        
        RestrictSUIDSGID = true;
        RemoveIPC = true;
        NoNewPrivileges = true;
@@ -174,7 +174,7 @@ with lib;
              ${corsHeaders}
            '';
            return = "200 '${builtins.toJSON {
-              "m.server" = "synapse.li:443"; 
+              "m.server" = "synapse.li:443";
            }}'";
          };
          "= /.well-known/matrix/client" = {
@@ -198,7 +198,7 @@ with lib;
        sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem";
        extraConfig = ''
          add_header Strict-Transport-Security "max-age=63072000" always;
-          
          add_header X-Frame-Options SAMEORIGIN;
          add_header X-Content-Type-Options nosniff;
          add_header X-XSS-Protection "1; mode=block";
@@ -240,7 +240,7 @@ with lib;
      "synapse.li".certCfg = {
        postRun = ''
          ${pkgs.systemd}/bin/systemctl try-restart nginx.service
-        '';       
+        '';
      };
    };
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-09-14 16:06:00 +0200
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-09-14 16:06:00 +0200
commit	410a63cf1baf627a0b99c34a955b3d02efabb48f (patch)
tree	0b8a0f16f6de3ea7e1495c373b647c3966e3f4fb /hosts/surtr/matrix
parent	b931543508377c0e48a6801e4ea217eb523e2b03 (diff)
download	nixos-410a63cf1baf627a0b99c34a955b3d02efabb48f.tar nixos-410a63cf1baf627a0b99c34a955b3d02efabb48f.tar.gz nixos-410a63cf1baf627a0b99c34a955b3d02efabb48f.tar.bz2 nixos-410a63cf1baf627a0b99c34a955b3d02efabb48f.tar.xz nixos-410a63cf1baf627a0b99c34a955b3d02efabb48f.zip

diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index e3a52f9a..46c2f338 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix
@@ -111,7 +111,7 @@ with lib;
111	ProtectClock = true;	111	ProtectClock = true;
112	ProtectHostname = true;	112	ProtectHostname = true;
113		113
114	ProtectHome = "tmpfs";	114	ProtectHome = true;
115	ProtectKernelLogs = true;	115	ProtectKernelLogs = true;
116		116
117	ProtectProc = "invisible";	117	ProtectProc = "invisible";
@@ -123,7 +123,7 @@ with lib;
123		123
124	SystemCallArchitectures = "native";	124	SystemCallArchitectures = "native";
125	SystemCallFilter = ["@system-service" "~@privileged @resources @obsolete"];	125	SystemCallFilter = ["@system-service" "~@privileged @resources @obsolete"];
126		126
127	RestrictSUIDSGID = true;	127	RestrictSUIDSGID = true;
128	RemoveIPC = true;	128	RemoveIPC = true;
129	NoNewPrivileges = true;	129	NoNewPrivileges = true;
@@ -174,7 +174,7 @@ with lib;
174	${corsHeaders}	174	${corsHeaders}
175	'';	175	'';
176	return = "200 '${builtins.toJSON {	176	return = "200 '${builtins.toJSON {
177	"m.server" = "synapse.li:443";	177	"m.server" = "synapse.li:443";
178	}}'";	178	}}'";
179	};	179	};
180	"= /.well-known/matrix/client" = {	180	"= /.well-known/matrix/client" = {
@@ -198,7 +198,7 @@ with lib;
198	sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem";	198	sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem";
199	extraConfig = ''	199	extraConfig = ''
200	add_header Strict-Transport-Security "max-age=63072000" always;	200	add_header Strict-Transport-Security "max-age=63072000" always;
201		201
202	add_header X-Frame-Options SAMEORIGIN;	202	add_header X-Frame-Options SAMEORIGIN;
203	add_header X-Content-Type-Options nosniff;	203	add_header X-Content-Type-Options nosniff;
204	add_header X-XSS-Protection "1; mode=block";	204	add_header X-XSS-Protection "1; mode=block";
@@ -240,7 +240,7 @@ with lib;
240	"synapse.li".certCfg = {	240	"synapse.li".certCfg = {
241	postRun = ''	241	postRun = ''
242	${pkgs.systemd}/bin/systemctl try-restart nginx.service	242	${pkgs.systemd}/bin/systemctl try-restart nginx.service
243	'';	243	'';
244	};	244	};
245	};	245	};
246		246