diff options
Diffstat (limited to 'hosts/surtr/http')
| -rw-r--r-- | hosts/surtr/http/default.nix | 17 | ||||
| -rw-r--r-- | hosts/surtr/http/webdav/default.nix | 29 |
2 files changed, 24 insertions, 22 deletions
diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix index 920f939c..3d7f3ebf 100644 --- a/hosts/surtr/http/default.nix +++ b/hosts/surtr/http/default.nix | |||
| @@ -35,23 +35,6 @@ | |||
| 35 | ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; | 35 | ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; |
| 36 | RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ]; | 36 | RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ]; |
| 37 | RuntimeDirectoryMode = "0750"; | 37 | RuntimeDirectoryMode = "0750"; |
| 38 | |||
| 39 | NoNewPrivileges = lib.mkForce false; | ||
| 40 | PrivateDevices = lib.mkForce false; | ||
| 41 | ProtectHostname = lib.mkForce false; | ||
| 42 | ProtectKernelTunables = lib.mkForce false; | ||
| 43 | ProtectKernelModules = lib.mkForce false; | ||
| 44 | RestrictAddressFamilies = lib.mkForce [ ]; | ||
| 45 | LockPersonality = lib.mkForce false; | ||
| 46 | MemoryDenyWriteExecute = lib.mkForce false; | ||
| 47 | RestrictRealtime = lib.mkForce false; | ||
| 48 | RestrictSUIDSGID = lib.mkForce false; | ||
| 49 | SystemCallArchitectures = lib.mkForce ""; | ||
| 50 | ProtectClock = lib.mkForce false; | ||
| 51 | ProtectKernelLogs = lib.mkForce false; | ||
| 52 | RestrictNamespaces = lib.mkForce false; | ||
| 53 | SystemCallFilter = lib.mkForce ""; | ||
| 54 | ReadWritePaths = [ "/srv/files" ]; | ||
| 55 | }; | 38 | }; |
| 56 | }; | 39 | }; |
| 57 | 40 | ||
diff --git a/hosts/surtr/http/webdav/default.nix b/hosts/surtr/http/webdav/default.nix index 1da411d3..0443bc97 100644 --- a/hosts/surtr/http/webdav/default.nix +++ b/hosts/surtr/http/webdav/default.nix | |||
| @@ -76,11 +76,30 @@ in { | |||
| 76 | }; | 76 | }; |
| 77 | }; | 77 | }; |
| 78 | 78 | ||
| 79 | systemd.services.nginx.serviceConfig.LoadCredential = [ | 79 | systemd.services.nginx.serviceConfig = { |
| 80 | "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem" | 80 | LoadCredential = [ |
| 81 | "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem" | 81 | "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem" |
| 82 | "webdav.141.li.chain.pem:${config.security.acme.certs."webdav.141.li".directory}/chain.pem" | 82 | "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem" |
| 83 | ]; | 83 | "webdav.141.li.chain.pem:${config.security.acme.certs."webdav.141.li".directory}/chain.pem" |
| 84 | ]; | ||
| 85 | |||
| 86 | NoNewPrivileges = lib.mkForce false; | ||
| 87 | PrivateDevices = lib.mkForce false; | ||
| 88 | ProtectHostname = lib.mkForce false; | ||
| 89 | ProtectKernelTunables = lib.mkForce false; | ||
| 90 | ProtectKernelModules = lib.mkForce false; | ||
| 91 | RestrictAddressFamilies = lib.mkForce [ ]; | ||
| 92 | LockPersonality = lib.mkForce false; | ||
| 93 | MemoryDenyWriteExecute = lib.mkForce false; | ||
| 94 | RestrictRealtime = lib.mkForce false; | ||
| 95 | RestrictSUIDSGID = lib.mkForce false; | ||
| 96 | SystemCallArchitectures = lib.mkForce ""; | ||
| 97 | ProtectClock = lib.mkForce false; | ||
| 98 | ProtectKernelLogs = lib.mkForce false; | ||
| 99 | RestrictNamespaces = lib.mkForce false; | ||
| 100 | SystemCallFilter = lib.mkForce ""; | ||
| 101 | ReadWritePaths = [ "/srv/files" ]; | ||
| 102 | }; | ||
| 84 | 103 | ||
| 85 | 104 | ||
| 86 | # services.uwsgi.instance.vassals.webdav = { | 105 | # services.uwsgi.instance.vassals.webdav = { |