summaryrefslogtreecommitdiff
path: root/hosts
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-01-31 18:54:09 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2022-01-31 18:54:09 +0100
commit8a8d73598a08d94a515f51240ac262f003d3a6ba (patch)
treed2f8e089320506ac46d717f990a48d1e0abff197 /hosts
parentf2296df8350e3f1b0c1f6b77e023e1faa02d82c8 (diff)
downloadnixos-8a8d73598a08d94a515f51240ac262f003d3a6ba.tar
nixos-8a8d73598a08d94a515f51240ac262f003d3a6ba.tar.gz
nixos-8a8d73598a08d94a515f51240ac262f003d3a6ba.tar.bz2
nixos-8a8d73598a08d94a515f51240ac262f003d3a6ba.tar.xz
nixos-8a8d73598a08d94a515f51240ac262f003d3a6ba.zip
...
Diffstat (limited to 'hosts')
-rw-r--r--hosts/surtr/http.nix16
1 files changed, 15 insertions, 1 deletions
diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix
index 11441e2c..b8f57268 100644
--- a/hosts/surtr/http.nix
+++ b/hosts/surtr/http.nix
@@ -41,7 +41,6 @@
41 }; 41 };
42 }; 42 };
43 }; 43 };
44 users.users."nginx".extraGroups = [ "shadow" ];
45 security.acme.domains."webdav.141.li" = { 44 security.acme.domains."webdav.141.li" = {
46 zone = "141.li"; 45 zone = "141.li";
47 certCfg = { 46 certCfg = {
@@ -53,6 +52,7 @@
53 systemd.services.nginx = { 52 systemd.services.nginx = {
54 preStart = lib.mkForce config.services.nginx.preStart; 53 preStart = lib.mkForce config.services.nginx.preStart;
55 serviceConfig = { 54 serviceConfig = {
55 SupplementaryGroups = [ "shadow" ];
56 ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; 56 ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
57 LoadCredential = [ 57 LoadCredential = [
58 "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem" 58 "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem"
@@ -61,6 +61,20 @@
61 RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ]; 61 RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ];
62 RuntimeDirectoryMode = "0750"; 62 RuntimeDirectoryMode = "0750";
63 63
64 NoNewPrivileges = lib.mkForce false;
65 PrivateDevices = lib.mkForce false;
66 ProtectHostname = lib.mkForce false;
67 ProtectKernelTunables = lib.mkForce false;
68 ProtectKernelModules = lib.mkForce false;
69 RestrictAddressFamilies = lib.mkForce [ ];
70 LockPersonality = lib.mkForce false;
71 MemoryDenyWriteExecute = lib.mkForce false;
72 RestrictRealtime = lib.mkForce false;
73 RestrictSUIDSGID = lib.mkForce false;
74 SystemCallArchitectures = lib.mkForce "";
75 ProtectClock = lib.mkForce false;
76 ProtectKernelLogs = lib.mkForce false;
77 RestrictNamespaces = lib.mkForce false;
64 SystemCallFilter = lib.mkForce ""; 78 SystemCallFilter = lib.mkForce "";
65 ReadWritePaths = [ "/srv/files" ]; 79 ReadWritePaths = [ "/srv/files" ];
66 }; 80 };