diff options
Diffstat (limited to 'hosts/surtr')
| -rw-r--r-- | hosts/surtr/email/ca/.gitignore | 4 | ||||
| -rw-r--r-- | hosts/surtr/email/ca/index.txt | 1 | ||||
| -rw-r--r-- | hosts/surtr/email/ca/serial | 2 | ||||
| -rw-r--r-- | hosts/surtr/matrix/default.nix | 10 |
4 files changed, 10 insertions, 7 deletions
diff --git a/hosts/surtr/email/ca/.gitignore b/hosts/surtr/email/ca/.gitignore index adafac92..af29cdfa 100644 --- a/hosts/surtr/email/ca/.gitignore +++ b/hosts/surtr/email/ca/.gitignore | |||
| @@ -3,4 +3,6 @@ | |||
| 3 | *.old | 3 | *.old |
| 4 | *.crt | 4 | *.crt |
| 5 | *.pkcs12 | 5 | *.pkcs12 |
| 6 | certs \ No newline at end of file | 6 | *.p12 |
| 7 | certs | ||
| 8 | index.txt.bak \ No newline at end of file | ||
diff --git a/hosts/surtr/email/ca/index.txt b/hosts/surtr/email/ca/index.txt index 40c9605a..cbaf96b2 100644 --- a/hosts/surtr/email/ca/index.txt +++ b/hosts/surtr/email/ca/index.txt | |||
| @@ -1,2 +1,3 @@ | |||
| 1 | V 320513204402Z 03 unknown /CN=gkleen | 1 | V 320513204402Z 03 unknown /CN=gkleen |
| 2 | V 320515063648Z 04 unknown /CN=nmuehlbauer | 2 | V 320515063648Z 04 unknown /CN=nmuehlbauer |
| 3 | V 320910104724Z 05 unknown /CN=mwgnr | ||
diff --git a/hosts/surtr/email/ca/serial b/hosts/surtr/email/ca/serial index eeee65ec..cd672a53 100644 --- a/hosts/surtr/email/ca/serial +++ b/hosts/surtr/email/ca/serial | |||
| @@ -1 +1 @@ | |||
| 05 | 06 | ||
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index e3a52f9a..46c2f338 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix | |||
| @@ -111,7 +111,7 @@ with lib; | |||
| 111 | ProtectClock = true; | 111 | ProtectClock = true; |
| 112 | ProtectHostname = true; | 112 | ProtectHostname = true; |
| 113 | 113 | ||
| 114 | ProtectHome = "tmpfs"; | 114 | ProtectHome = true; |
| 115 | ProtectKernelLogs = true; | 115 | ProtectKernelLogs = true; |
| 116 | 116 | ||
| 117 | ProtectProc = "invisible"; | 117 | ProtectProc = "invisible"; |
| @@ -123,7 +123,7 @@ with lib; | |||
| 123 | 123 | ||
| 124 | SystemCallArchitectures = "native"; | 124 | SystemCallArchitectures = "native"; |
| 125 | SystemCallFilter = ["@system-service" "~@privileged @resources @obsolete"]; | 125 | SystemCallFilter = ["@system-service" "~@privileged @resources @obsolete"]; |
| 126 | 126 | ||
| 127 | RestrictSUIDSGID = true; | 127 | RestrictSUIDSGID = true; |
| 128 | RemoveIPC = true; | 128 | RemoveIPC = true; |
| 129 | NoNewPrivileges = true; | 129 | NoNewPrivileges = true; |
| @@ -174,7 +174,7 @@ with lib; | |||
| 174 | ${corsHeaders} | 174 | ${corsHeaders} |
| 175 | ''; | 175 | ''; |
| 176 | return = "200 '${builtins.toJSON { | 176 | return = "200 '${builtins.toJSON { |
| 177 | "m.server" = "synapse.li:443"; | 177 | "m.server" = "synapse.li:443"; |
| 178 | }}'"; | 178 | }}'"; |
| 179 | }; | 179 | }; |
| 180 | "= /.well-known/matrix/client" = { | 180 | "= /.well-known/matrix/client" = { |
| @@ -198,7 +198,7 @@ with lib; | |||
| 198 | sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; | 198 | sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; |
| 199 | extraConfig = '' | 199 | extraConfig = '' |
| 200 | add_header Strict-Transport-Security "max-age=63072000" always; | 200 | add_header Strict-Transport-Security "max-age=63072000" always; |
| 201 | 201 | ||
| 202 | add_header X-Frame-Options SAMEORIGIN; | 202 | add_header X-Frame-Options SAMEORIGIN; |
| 203 | add_header X-Content-Type-Options nosniff; | 203 | add_header X-Content-Type-Options nosniff; |
| 204 | add_header X-XSS-Protection "1; mode=block"; | 204 | add_header X-XSS-Protection "1; mode=block"; |
| @@ -240,7 +240,7 @@ with lib; | |||
| 240 | "synapse.li".certCfg = { | 240 | "synapse.li".certCfg = { |
| 241 | postRun = '' | 241 | postRun = '' |
| 242 | ${pkgs.systemd}/bin/systemctl try-restart nginx.service | 242 | ${pkgs.systemd}/bin/systemctl try-restart nginx.service |
| 243 | ''; | 243 | ''; |
| 244 | }; | 244 | }; |
| 245 | }; | 245 | }; |
| 246 | 246 | ||