From 410a63cf1baf627a0b99c34a955b3d02efabb48f Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Wed, 14 Sep 2022 16:06:00 +0200
Subject: ...

---
 hosts/surtr/email/ca/.gitignore |  4 +++-
 hosts/surtr/email/ca/index.txt  |  1 +
 hosts/surtr/email/ca/serial     |  2 +-
 hosts/surtr/matrix/default.nix  | 10 +++++-----
 4 files changed, 10 insertions(+), 7 deletions(-)

(limited to 'hosts/surtr')

diff --git a/hosts/surtr/email/ca/.gitignore b/hosts/surtr/email/ca/.gitignore
index adafac92..af29cdfa 100644
--- a/hosts/surtr/email/ca/.gitignore
+++ b/hosts/surtr/email/ca/.gitignore
@@ -3,4 +3,6 @@
 *.old
 *.crt
 *.pkcs12
-certs
\ No newline at end of file
+*.p12
+certs
+index.txt.bak
\ No newline at end of file
diff --git a/hosts/surtr/email/ca/index.txt b/hosts/surtr/email/ca/index.txt
index 40c9605a..cbaf96b2 100644
--- a/hosts/surtr/email/ca/index.txt
+++ b/hosts/surtr/email/ca/index.txt
@@ -1,2 +1,3 @@
 V	320513204402Z		03	unknown	/CN=gkleen
 V	320515063648Z		04	unknown	/CN=nmuehlbauer
+V	320910104724Z		05	unknown	/CN=mwgnr
diff --git a/hosts/surtr/email/ca/serial b/hosts/surtr/email/ca/serial
index eeee65ec..cd672a53 100644
--- a/hosts/surtr/email/ca/serial
+++ b/hosts/surtr/email/ca/serial
@@ -1 +1 @@
-05
+06
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
index e3a52f9a..46c2f338 100644
--- a/hosts/surtr/matrix/default.nix
+++ b/hosts/surtr/matrix/default.nix
@@ -111,7 +111,7 @@ with lib;
         ProtectClock = true;
         ProtectHostname = true;
 
-        ProtectHome = "tmpfs";
+        ProtectHome = true;
         ProtectKernelLogs = true;
 
         ProtectProc = "invisible";
@@ -123,7 +123,7 @@ with lib;
 
         SystemCallArchitectures = "native";
         SystemCallFilter = ["@system-service" "~@privileged @resources @obsolete"];
-        
+
         RestrictSUIDSGID = true;
         RemoveIPC = true;
         NoNewPrivileges = true;
@@ -174,7 +174,7 @@ with lib;
               ${corsHeaders}
             '';
             return = "200 '${builtins.toJSON {
-              "m.server" = "synapse.li:443"; 
+              "m.server" = "synapse.li:443";
             }}'";
           };
           "= /.well-known/matrix/client" = {
@@ -198,7 +198,7 @@ with lib;
         sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem";
         extraConfig = ''
           add_header Strict-Transport-Security "max-age=63072000" always;
-          
+
           add_header X-Frame-Options SAMEORIGIN;
           add_header X-Content-Type-Options nosniff;
           add_header X-XSS-Protection "1; mode=block";
@@ -240,7 +240,7 @@ with lib;
       "synapse.li".certCfg = {
         postRun = ''
           ${pkgs.systemd}/bin/systemctl try-restart nginx.service
-        '';       
+        '';
       };
     };
 
-- 
cgit v1.2.3