diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-01-31 18:54:09 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-01-31 18:54:09 +0100 |
commit | 8a8d73598a08d94a515f51240ac262f003d3a6ba (patch) | |
tree | d2f8e089320506ac46d717f990a48d1e0abff197 /hosts | |
parent | f2296df8350e3f1b0c1f6b77e023e1faa02d82c8 (diff) | |
download | nixos-8a8d73598a08d94a515f51240ac262f003d3a6ba.tar nixos-8a8d73598a08d94a515f51240ac262f003d3a6ba.tar.gz nixos-8a8d73598a08d94a515f51240ac262f003d3a6ba.tar.bz2 nixos-8a8d73598a08d94a515f51240ac262f003d3a6ba.tar.xz nixos-8a8d73598a08d94a515f51240ac262f003d3a6ba.zip |
...
Diffstat (limited to 'hosts')
-rw-r--r-- | hosts/surtr/http.nix | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix index 11441e2c..b8f57268 100644 --- a/hosts/surtr/http.nix +++ b/hosts/surtr/http.nix | |||
@@ -41,7 +41,6 @@ | |||
41 | }; | 41 | }; |
42 | }; | 42 | }; |
43 | }; | 43 | }; |
44 | users.users."nginx".extraGroups = [ "shadow" ]; | ||
45 | security.acme.domains."webdav.141.li" = { | 44 | security.acme.domains."webdav.141.li" = { |
46 | zone = "141.li"; | 45 | zone = "141.li"; |
47 | certCfg = { | 46 | certCfg = { |
@@ -53,6 +52,7 @@ | |||
53 | systemd.services.nginx = { | 52 | systemd.services.nginx = { |
54 | preStart = lib.mkForce config.services.nginx.preStart; | 53 | preStart = lib.mkForce config.services.nginx.preStart; |
55 | serviceConfig = { | 54 | serviceConfig = { |
55 | SupplementaryGroups = [ "shadow" ]; | ||
56 | ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; | 56 | ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; |
57 | LoadCredential = [ | 57 | LoadCredential = [ |
58 | "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem" | 58 | "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem" |
@@ -61,6 +61,20 @@ | |||
61 | RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ]; | 61 | RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ]; |
62 | RuntimeDirectoryMode = "0750"; | 62 | RuntimeDirectoryMode = "0750"; |
63 | 63 | ||
64 | NoNewPrivileges = lib.mkForce false; | ||
65 | PrivateDevices = lib.mkForce false; | ||
66 | ProtectHostname = lib.mkForce false; | ||
67 | ProtectKernelTunables = lib.mkForce false; | ||
68 | ProtectKernelModules = lib.mkForce false; | ||
69 | RestrictAddressFamilies = lib.mkForce [ ]; | ||
70 | LockPersonality = lib.mkForce false; | ||
71 | MemoryDenyWriteExecute = lib.mkForce false; | ||
72 | RestrictRealtime = lib.mkForce false; | ||
73 | RestrictSUIDSGID = lib.mkForce false; | ||
74 | SystemCallArchitectures = lib.mkForce ""; | ||
75 | ProtectClock = lib.mkForce false; | ||
76 | ProtectKernelLogs = lib.mkForce false; | ||
77 | RestrictNamespaces = lib.mkForce false; | ||
64 | SystemCallFilter = lib.mkForce ""; | 78 | SystemCallFilter = lib.mkForce ""; |
65 | ReadWritePaths = [ "/srv/files" ]; | 79 | ReadWritePaths = [ "/srv/files" ]; |
66 | }; | 80 | }; |