Merge pull request #20 from archtika/devel

Set prod module nix configuration
2025-11-22 02:41:35 +01:00 · 2024-12-08 18:03:15 +01:00
parent 5a9526174f a6c0cf5167
commit fe42f275a5
2 changed files with 24 additions and 6 deletions
--- a/nix/deploy/prod/default.nix
+++ b/nix/deploy/prod/default.nix
@@ -6,8 +6,9 @@
    ../../module.nix
  ];
-  networking.hostName = "archtika-prod";
+  networking.hostName = "archtika-demo";
  /*
  services.archtika = {
    enable = true;
    package = localArchtikaPackage;
@@ -15,5 +16,11 @@
    acmeEmail = "thilo.hohlt@tutanota.com";
    dnsProvider = "porkbun";
    dnsEnvironmentFile = /var/lib/porkbun.env;
    settings = {
      disableRegistration = true;
      maxWebsiteStorageSize = 50;
      maxUserWebsites = 2;
    };
  };
  */
 }
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -28,9 +28,13 @@ let
    RestrictRealtime = true;
    RestrictSUIDSGID = true;
    SystemCallArchitectures = "native";
-    SystemCallFilter = ["@system-service" "~@privileged" "~@resources"];
+    SystemCallFilter = [
-    
+      "@system-service"
-    ReadWritePaths = ["/var/www/archtika-websites"];
+      "~@privileged"
      "~@resources"
    ];
    ReadWritePaths = [ "/var/www/archtika-websites" ];
  };
 in
 {
@@ -154,7 +158,11 @@ in
        Restart = "always";
        WorkingDirectory = "${cfg.package}/rest-api";
-        RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_UNIX"];
+        RestrictAddressFamilies = [
          "AF_INET"
          "AF_INET6"
          "AF_UNIX"
        ];
      };
      script = ''
@@ -181,7 +189,10 @@ in
        Restart = "always";
        WorkingDirectory = "${cfg.package}/web-app";
-        RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
+        RestrictAddressFamilies = [
          "AF_INET"
          "AF_INET6"
        ];
      };
      script = ''