summaryrefslogtreecommitdiff
path: root/hosts/surtr
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/surtr')
-rw-r--r--hosts/surtr/email/ca/.gitignore4
-rw-r--r--hosts/surtr/email/ca/index.txt1
-rw-r--r--hosts/surtr/email/ca/serial2
-rw-r--r--hosts/surtr/matrix/default.nix10
4 files changed, 10 insertions, 7 deletions
diff --git a/hosts/surtr/email/ca/.gitignore b/hosts/surtr/email/ca/.gitignore
index adafac92..af29cdfa 100644
--- a/hosts/surtr/email/ca/.gitignore
+++ b/hosts/surtr/email/ca/.gitignore
@@ -3,4 +3,6 @@
3*.old 3*.old
4*.crt 4*.crt
5*.pkcs12 5*.pkcs12
6certs \ No newline at end of file 6*.p12
7certs
8index.txt.bak \ No newline at end of file
diff --git a/hosts/surtr/email/ca/index.txt b/hosts/surtr/email/ca/index.txt
index 40c9605a..cbaf96b2 100644
--- a/hosts/surtr/email/ca/index.txt
+++ b/hosts/surtr/email/ca/index.txt
@@ -1,2 +1,3 @@
1V 320513204402Z 03 unknown /CN=gkleen 1V 320513204402Z 03 unknown /CN=gkleen
2V 320515063648Z 04 unknown /CN=nmuehlbauer 2V 320515063648Z 04 unknown /CN=nmuehlbauer
3V 320910104724Z 05 unknown /CN=mwgnr
diff --git a/hosts/surtr/email/ca/serial b/hosts/surtr/email/ca/serial
index eeee65ec..cd672a53 100644
--- a/hosts/surtr/email/ca/serial
+++ b/hosts/surtr/email/ca/serial
@@ -1 +1 @@
05 06
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
index e3a52f9a..46c2f338 100644
--- a/hosts/surtr/matrix/default.nix
+++ b/hosts/surtr/matrix/default.nix
@@ -111,7 +111,7 @@ with lib;
111 ProtectClock = true; 111 ProtectClock = true;
112 ProtectHostname = true; 112 ProtectHostname = true;
113 113
114 ProtectHome = "tmpfs"; 114 ProtectHome = true;
115 ProtectKernelLogs = true; 115 ProtectKernelLogs = true;
116 116
117 ProtectProc = "invisible"; 117 ProtectProc = "invisible";
@@ -123,7 +123,7 @@ with lib;
123 123
124 SystemCallArchitectures = "native"; 124 SystemCallArchitectures = "native";
125 SystemCallFilter = ["@system-service" "~@privileged @resources @obsolete"]; 125 SystemCallFilter = ["@system-service" "~@privileged @resources @obsolete"];
126 126
127 RestrictSUIDSGID = true; 127 RestrictSUIDSGID = true;
128 RemoveIPC = true; 128 RemoveIPC = true;
129 NoNewPrivileges = true; 129 NoNewPrivileges = true;
@@ -174,7 +174,7 @@ with lib;
174 ${corsHeaders} 174 ${corsHeaders}
175 ''; 175 '';
176 return = "200 '${builtins.toJSON { 176 return = "200 '${builtins.toJSON {
177 "m.server" = "synapse.li:443"; 177 "m.server" = "synapse.li:443";
178 }}'"; 178 }}'";
179 }; 179 };
180 "= /.well-known/matrix/client" = { 180 "= /.well-known/matrix/client" = {
@@ -198,7 +198,7 @@ with lib;
198 sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; 198 sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem";
199 extraConfig = '' 199 extraConfig = ''
200 add_header Strict-Transport-Security "max-age=63072000" always; 200 add_header Strict-Transport-Security "max-age=63072000" always;
201 201
202 add_header X-Frame-Options SAMEORIGIN; 202 add_header X-Frame-Options SAMEORIGIN;
203 add_header X-Content-Type-Options nosniff; 203 add_header X-Content-Type-Options nosniff;
204 add_header X-XSS-Protection "1; mode=block"; 204 add_header X-XSS-Protection "1; mode=block";
@@ -240,7 +240,7 @@ with lib;
240 "synapse.li".certCfg = { 240 "synapse.li".certCfg = {
241 postRun = '' 241 postRun = ''
242 ${pkgs.systemd}/bin/systemctl try-restart nginx.service 242 ${pkgs.systemd}/bin/systemctl try-restart nginx.service
243 ''; 243 '';
244 }; 244 };
245 }; 245 };
246 246