diff options
Diffstat (limited to 'hosts/surtr')
-rw-r--r-- | hosts/surtr/email/ca/.gitignore | 4 | ||||
-rw-r--r-- | hosts/surtr/email/ca/index.txt | 1 | ||||
-rw-r--r-- | hosts/surtr/email/ca/serial | 2 | ||||
-rw-r--r-- | hosts/surtr/matrix/default.nix | 10 |
4 files changed, 10 insertions, 7 deletions
diff --git a/hosts/surtr/email/ca/.gitignore b/hosts/surtr/email/ca/.gitignore index adafac92..af29cdfa 100644 --- a/hosts/surtr/email/ca/.gitignore +++ b/hosts/surtr/email/ca/.gitignore | |||
@@ -3,4 +3,6 @@ | |||
3 | *.old | 3 | *.old |
4 | *.crt | 4 | *.crt |
5 | *.pkcs12 | 5 | *.pkcs12 |
6 | certs \ No newline at end of file | 6 | *.p12 |
7 | certs | ||
8 | index.txt.bak \ No newline at end of file | ||
diff --git a/hosts/surtr/email/ca/index.txt b/hosts/surtr/email/ca/index.txt index 40c9605a..cbaf96b2 100644 --- a/hosts/surtr/email/ca/index.txt +++ b/hosts/surtr/email/ca/index.txt | |||
@@ -1,2 +1,3 @@ | |||
1 | V 320513204402Z 03 unknown /CN=gkleen | 1 | V 320513204402Z 03 unknown /CN=gkleen |
2 | V 320515063648Z 04 unknown /CN=nmuehlbauer | 2 | V 320515063648Z 04 unknown /CN=nmuehlbauer |
3 | V 320910104724Z 05 unknown /CN=mwgnr | ||
diff --git a/hosts/surtr/email/ca/serial b/hosts/surtr/email/ca/serial index eeee65ec..cd672a53 100644 --- a/hosts/surtr/email/ca/serial +++ b/hosts/surtr/email/ca/serial | |||
@@ -1 +1 @@ | |||
05 | 06 | ||
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index e3a52f9a..46c2f338 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix | |||
@@ -111,7 +111,7 @@ with lib; | |||
111 | ProtectClock = true; | 111 | ProtectClock = true; |
112 | ProtectHostname = true; | 112 | ProtectHostname = true; |
113 | 113 | ||
114 | ProtectHome = "tmpfs"; | 114 | ProtectHome = true; |
115 | ProtectKernelLogs = true; | 115 | ProtectKernelLogs = true; |
116 | 116 | ||
117 | ProtectProc = "invisible"; | 117 | ProtectProc = "invisible"; |
@@ -123,7 +123,7 @@ with lib; | |||
123 | 123 | ||
124 | SystemCallArchitectures = "native"; | 124 | SystemCallArchitectures = "native"; |
125 | SystemCallFilter = ["@system-service" "~@privileged @resources @obsolete"]; | 125 | SystemCallFilter = ["@system-service" "~@privileged @resources @obsolete"]; |
126 | 126 | ||
127 | RestrictSUIDSGID = true; | 127 | RestrictSUIDSGID = true; |
128 | RemoveIPC = true; | 128 | RemoveIPC = true; |
129 | NoNewPrivileges = true; | 129 | NoNewPrivileges = true; |
@@ -174,7 +174,7 @@ with lib; | |||
174 | ${corsHeaders} | 174 | ${corsHeaders} |
175 | ''; | 175 | ''; |
176 | return = "200 '${builtins.toJSON { | 176 | return = "200 '${builtins.toJSON { |
177 | "m.server" = "synapse.li:443"; | 177 | "m.server" = "synapse.li:443"; |
178 | }}'"; | 178 | }}'"; |
179 | }; | 179 | }; |
180 | "= /.well-known/matrix/client" = { | 180 | "= /.well-known/matrix/client" = { |
@@ -198,7 +198,7 @@ with lib; | |||
198 | sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; | 198 | sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; |
199 | extraConfig = '' | 199 | extraConfig = '' |
200 | add_header Strict-Transport-Security "max-age=63072000" always; | 200 | add_header Strict-Transport-Security "max-age=63072000" always; |
201 | 201 | ||
202 | add_header X-Frame-Options SAMEORIGIN; | 202 | add_header X-Frame-Options SAMEORIGIN; |
203 | add_header X-Content-Type-Options nosniff; | 203 | add_header X-Content-Type-Options nosniff; |
204 | add_header X-XSS-Protection "1; mode=block"; | 204 | add_header X-XSS-Protection "1; mode=block"; |
@@ -240,7 +240,7 @@ with lib; | |||
240 | "synapse.li".certCfg = { | 240 | "synapse.li".certCfg = { |
241 | postRun = '' | 241 | postRun = '' |
242 | ${pkgs.systemd}/bin/systemctl try-restart nginx.service | 242 | ${pkgs.systemd}/bin/systemctl try-restart nginx.service |
243 | ''; | 243 | ''; |
244 | }; | 244 | }; |
245 | }; | 245 | }; |
246 | 246 | ||