diff options
Diffstat (limited to 'hosts')
| -rw-r--r-- | hosts/surtr/matrix/default.nix | 44 | 
1 files changed, 44 insertions, 0 deletions
| diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index 0c48a243..9376620c 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix | |||
| @@ -80,6 +80,10 @@ with lib; | |||
| 80 | }; | 80 | }; | 
| 81 | 81 | ||
| 82 | systemd.services.matrix-synapse = { | 82 | systemd.services.matrix-synapse = { | 
| 83 | unitConfig = { | ||
| 84 | wants = ["postgresql.service"]; | ||
| 85 | }; | ||
| 86 | |||
| 83 | serviceConfig = { | 87 | serviceConfig = { | 
| 84 | LoadCredential = [ | 88 | LoadCredential = [ | 
| 85 | "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem" | 89 | "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem" | 
| @@ -87,6 +91,46 @@ with lib; | |||
| 87 | "registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}" | 91 | "registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}" | 
| 88 | "turn-secret.yaml:${config.sops.secrets."matrix-synapse-turn-secret.yaml".path}" | 92 | "turn-secret.yaml:${config.sops.secrets."matrix-synapse-turn-secret.yaml".path}" | 
| 89 | ]; | 93 | ]; | 
| 94 | |||
| 95 | RuntimeDirectory = "matrix-synapse"; | ||
| 96 | StateDirectory = "matrix-synapse"; | ||
| 97 | |||
| 98 | PrivateTmp = true; | ||
| 99 | PrivateDevices = true; | ||
| 100 | |||
| 101 | CapabilityBoundingSet = []; | ||
| 102 | AmbientCapabilities = []; | ||
| 103 | |||
| 104 | ProtectSystem = "strict"; | ||
| 105 | ProtectKernelTunables = true; | ||
| 106 | ProtectKernelModules = true; | ||
| 107 | ProtectControlGroups = true; | ||
| 108 | ProtectClock = true; | ||
| 109 | ProtectHostname = true; | ||
| 110 | |||
| 111 | ProtectHome = "tmpfs"; | ||
| 112 | ProtectKernelLogs = true; | ||
| 113 | |||
| 114 | ProtectProc = "invisible"; | ||
| 115 | ProcSubset = "pid"; | ||
| 116 | |||
| 117 | PrivateNetwork = false; | ||
| 118 | RestrictAddressFamily = ["AF_INET" "AF_INET6" "AF_UNIX"]; | ||
| 119 | IPAddressAllow = "any"; | ||
| 120 | |||
| 121 | SystemCallArchitectures = "native"; | ||
| 122 | SystemCallFilter = ["@system-service" "~@privileged @resources @obsolete"]; | ||
| 123 | |||
| 124 | RestrictSUIDSGID = true; | ||
| 125 | RemoveIPC = true; | ||
| 126 | NoNewPrivileges = true; | ||
| 127 | RestrictRealtime = true; | ||
| 128 | RestrictNamespaces = true; | ||
| 129 | LockPersonality = true; | ||
| 130 | PrivateUsers = true; | ||
| 131 | MemoryDenyWriteExecute = false; | ||
| 132 | |||
| 133 | ReadWritePaths = ["/var/run/postgresql"]; | ||
| 90 | }; | 134 | }; | 
| 91 | }; | 135 | }; | 
| 92 | 136 | ||
