summaryrefslogtreecommitdiff
path: root/hosts/surtr/http.nix
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/surtr/http.nix')
-rw-r--r--hosts/surtr/http.nix16
1 files changed, 15 insertions, 1 deletions
diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix
index 11441e2c..b8f57268 100644
--- a/hosts/surtr/http.nix
+++ b/hosts/surtr/http.nix
@@ -41,7 +41,6 @@
41 }; 41 };
42 }; 42 };
43 }; 43 };
44 users.users."nginx".extraGroups = [ "shadow" ];
45 security.acme.domains."webdav.141.li" = { 44 security.acme.domains."webdav.141.li" = {
46 zone = "141.li"; 45 zone = "141.li";
47 certCfg = { 46 certCfg = {
@@ -53,6 +52,7 @@
53 systemd.services.nginx = { 52 systemd.services.nginx = {
54 preStart = lib.mkForce config.services.nginx.preStart; 53 preStart = lib.mkForce config.services.nginx.preStart;
55 serviceConfig = { 54 serviceConfig = {
55 SupplementaryGroups = [ "shadow" ];
56 ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; 56 ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
57 LoadCredential = [ 57 LoadCredential = [
58 "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem" 58 "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem"
@@ -61,6 +61,20 @@
61 RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ]; 61 RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ];
62 RuntimeDirectoryMode = "0750"; 62 RuntimeDirectoryMode = "0750";
63 63
64 NoNewPrivileges = lib.mkForce false;
65 PrivateDevices = lib.mkForce false;
66 ProtectHostname = lib.mkForce false;
67 ProtectKernelTunables = lib.mkForce false;
68 ProtectKernelModules = lib.mkForce false;
69 RestrictAddressFamilies = lib.mkForce [ ];
70 LockPersonality = lib.mkForce false;
71 MemoryDenyWriteExecute = lib.mkForce false;
72 RestrictRealtime = lib.mkForce false;
73 RestrictSUIDSGID = lib.mkForce false;
74 SystemCallArchitectures = lib.mkForce "";
75 ProtectClock = lib.mkForce false;
76 ProtectKernelLogs = lib.mkForce false;
77 RestrictNamespaces = lib.mkForce false;
64 SystemCallFilter = lib.mkForce ""; 78 SystemCallFilter = lib.mkForce "";
65 ReadWritePaths = [ "/srv/files" ]; 79 ReadWritePaths = [ "/srv/files" ];
66 }; 80 };