stuff

2025-07-25 23:39:55 -07:00
parent 3722ecc794
commit 7b8a5f80d6
2 changed files with 18 additions and 6 deletions
--- a/dns/shelvacu.com.nix
+++ b/dns/shelvacu.com.nix
@@ -23,12 +23,17 @@ in
      A = trip_ips;
      CAA = [
        {
-          issuerCritical = false;
+          issuerCritical = true;
          tag = "issue";
-          value = "letsencrypt.org;sectigo.com";
+          value = "letsencrypt.org";
        }
        {
-          issuerCritical = false;
+          issuerCritical = true;
+          tag = "issue";
+          value = "sectigo.com";
+        }
+        {
+          issuerCritical = true;
          tag = "issuewild";
          value = "letsencrypt.org";
        }
--- a/prophecy/dav-experiment.nix
+++ b/prophecy/dav-experiment.nix
@@ -37,14 +37,21 @@ in
    }
  ];

-  systemd.tmpfiles.settings."10-whatever"."/var/lib/dav-experiment".a = {
-    argument = "u:${config.services.caddy.user}:x";
+  systemd.tmpfiles.settings."10-whatever"."/var/lib/dav-experiment" = {
+    d = {
+      user = "dav-experiment";
+      group = "dav-experiment";
+      mode = "0700";
+    };
+    a.argument = "u:${config.services.caddy.user}:rx";
  };

  services.caddy.virtualHosts."dav-experiment.shelvacu.com".extraConfig = ''
    reverse_proxy unix/${dufsConfig.bind}
  '';

+  users.users.${config.services.caddy.user}.extraGroups = [ "dav-experiment" ];
+
  systemd.services.dav-experiment = {
    enable = true;
    wantedBy = [ "multi-user.target" ];
@@ -54,7 +61,7 @@ in
      ExecStart = "${lib.getExe pkgs.dufs} --config ${dufsConfigFile}";
      User = "dav-experiment";
      Group = "dav-experiment";
-      UMask = "0077";
+      UMask = "0017";

      SocketBindDeny = "any";
      RestrictNetworkInterfaces = "";