From 8a8d73598a08d94a515f51240ac262f003d3a6ba Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Mon, 31 Jan 2022 18:54:09 +0100
Subject: ...

---
 hosts/surtr/http.nix | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix
index 11441e2c..b8f57268 100644
--- a/hosts/surtr/http.nix
+++ b/hosts/surtr/http.nix
@@ -41,7 +41,6 @@
         };
       };
     };
-    users.users."nginx".extraGroups = [ "shadow" ];
     security.acme.domains."webdav.141.li" = {
       zone = "141.li";
       certCfg = {
@@ -53,6 +52,7 @@
     systemd.services.nginx = {
       preStart = lib.mkForce config.services.nginx.preStart;
       serviceConfig = {
+        SupplementaryGroups = [ "shadow" ];
         ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
         LoadCredential = [
           "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem"
@@ -61,6 +61,20 @@
         RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ];
         RuntimeDirectoryMode = "0750";
 
+        NoNewPrivileges = lib.mkForce false;
+        PrivateDevices = lib.mkForce false;
+        ProtectHostname = lib.mkForce false;
+        ProtectKernelTunables = lib.mkForce false;
+        ProtectKernelModules = lib.mkForce false;
+        RestrictAddressFamilies = lib.mkForce [ ];
+        LockPersonality = lib.mkForce false;
+        MemoryDenyWriteExecute = lib.mkForce false;
+        RestrictRealtime = lib.mkForce false;
+        RestrictSUIDSGID = lib.mkForce false;
+        SystemCallArchitectures = lib.mkForce "";
+        ProtectClock = lib.mkForce false;
+        ProtectKernelLogs = lib.mkForce false;
+        RestrictNamespaces = lib.mkForce false;
         SystemCallFilter = lib.mkForce "";
         ReadWritePaths = [ "/srv/files" ];
       };
-- 
cgit v1.2.3