setup.sh

@@ -64,6 +64,7 @@ if [ "${ip_pinning}" = '1' ]; then
 fi
 
 # Setup webroot for NGINX
+## Explicitly using /var/srv here because SELinux does not follow symlinks
 sudo semanage fcontext -a -t httpd_sys_content_t "$(realpath /srv/nginx)(/.*)?"
 sudo mkdir -p /srv/nginx/.well-known/acme-challenge
 sudo chmod -R 755 /srv/nginx
@@ -73,6 +74,12 @@ unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main
 sudo chmod 644 /srv/nginx/ads.txt /srv/nginx/app-ads.txt /srv/nginx/robots.txt
 sudo restorecon -Rv "$(realpath /srv/nginx)"
 
+# NGINX hardening
+sudo mkdir -p /etc/systemd/system/nginx.service.d
+unpriv curl -s https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/nginx.service.d/local.conf | sudo tee /etc/systemd/system/nginx.service.d/override.conf > /dev/null
+sudo chmod 644 /etc/systemd/system/nginx.service.d/override.conf
+sudo systemctl daemon-reload
+
 # Setup nginx-create-session-ticket-keys
 
 sudo mkdir -p /etc/nginx/session-ticket-keys