From 17d24a633e75592f8b0dd5346c919c261332c90c Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Tue, 27 Dec 2022 15:28:59 +0100
Subject: kleen.consulting

---
 hosts/surtr/http/default.nix        | 17 -----------------
 hosts/surtr/http/webdav/default.nix | 29 ++++++++++++++++++++++++-----
 2 files changed, 24 insertions(+), 22 deletions(-)

(limited to 'hosts/surtr/http')

diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix
index 920f939c..3d7f3ebf 100644
--- a/hosts/surtr/http/default.nix
+++ b/hosts/surtr/http/default.nix
@@ -35,23 +35,6 @@
         ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
         RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ];
         RuntimeDirectoryMode = "0750";
-
-        NoNewPrivileges = lib.mkForce false;
-        PrivateDevices = lib.mkForce false;
-        ProtectHostname = lib.mkForce false;
-        ProtectKernelTunables = lib.mkForce false;
-        ProtectKernelModules = lib.mkForce false;
-        RestrictAddressFamilies = lib.mkForce [ ];
-        LockPersonality = lib.mkForce false;
-        MemoryDenyWriteExecute = lib.mkForce false;
-        RestrictRealtime = lib.mkForce false;
-        RestrictSUIDSGID = lib.mkForce false;
-        SystemCallArchitectures = lib.mkForce "";
-        ProtectClock = lib.mkForce false;
-        ProtectKernelLogs = lib.mkForce false;
-        RestrictNamespaces = lib.mkForce false;
-        SystemCallFilter = lib.mkForce "";
-        ReadWritePaths = [ "/srv/files" ];
       };
     };
 
diff --git a/hosts/surtr/http/webdav/default.nix b/hosts/surtr/http/webdav/default.nix
index 1da411d3..0443bc97 100644
--- a/hosts/surtr/http/webdav/default.nix
+++ b/hosts/surtr/http/webdav/default.nix
@@ -76,11 +76,30 @@ in {
       };
     };
 
-    systemd.services.nginx.serviceConfig.LoadCredential = [
-      "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem"
-      "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem"
-      "webdav.141.li.chain.pem:${config.security.acme.certs."webdav.141.li".directory}/chain.pem"
-    ];
+    systemd.services.nginx.serviceConfig = {
+      LoadCredential = [
+        "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem"
+        "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem"
+        "webdav.141.li.chain.pem:${config.security.acme.certs."webdav.141.li".directory}/chain.pem"
+      ];
+
+      NoNewPrivileges = lib.mkForce false;
+      PrivateDevices = lib.mkForce false;
+      ProtectHostname = lib.mkForce false;
+      ProtectKernelTunables = lib.mkForce false;
+      ProtectKernelModules = lib.mkForce false;
+      RestrictAddressFamilies = lib.mkForce [ ];
+      LockPersonality = lib.mkForce false;
+      MemoryDenyWriteExecute = lib.mkForce false;
+      RestrictRealtime = lib.mkForce false;
+      RestrictSUIDSGID = lib.mkForce false;
+      SystemCallArchitectures = lib.mkForce "";
+      ProtectClock = lib.mkForce false;
+      ProtectKernelLogs = lib.mkForce false;
+      RestrictNamespaces = lib.mkForce false;
+      SystemCallFilter = lib.mkForce "";
+      ReadWritePaths = [ "/srv/files" ];
+    };
 
 
     # services.uwsgi.instance.vassals.webdav = {
-- 
cgit v1.2.3