From aacca16eb2233dac4ad3d16ba9443ea5256bf5d2 Mon Sep 17 00:00:00 2001
From: soraefir <soraefir+git@helcel>
Date: Fri, 8 May 2026 21:05:08 +0200
Subject: [PATCH] fix tmpfs

---
 modules/server/containers/defs/nextcloud.nix | 2 +-
 modules/server/containers/defs/traefik.nix   | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/server/containers/defs/nextcloud.nix b/modules/server/containers/defs/nextcloud.nix
index 84ccd9d..8714fba 100644
--- a/modules/server/containers/defs/nextcloud.nix
+++ b/modules/server/containers/defs/nextcloud.nix
@@ -44,7 +44,7 @@ in {
         "traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" = "true";
       };
       extraOptions = [
-        "--tmpfs /tmp:rw,mode=1777"
+        "--tmpfs=/tmp:rw,noexec,nosuid,size=64m"
       ];
       overrides = {
         ports = if containerCfg.pubPort!=null && containerCfg.port!=null then [ "${toString containerCfg.pubPort}:${toString containerCfg.port}" ] else [];
diff --git a/modules/server/containers/defs/traefik.nix b/modules/server/containers/defs/traefik.nix
index cb544ae..a3631d1 100644
--- a/modules/server/containers/defs/traefik.nix
+++ b/modules/server/containers/defs/traefik.nix
@@ -17,7 +17,6 @@ in {
     server = builder.mkContainer {
       subdomain = containerCfg.subdomain;
       image = "traefik:${version}";
-      port = containerCfg.port;
       ip = containerCfg.ip;
       secret = name;
       extraEnv = {