Loading nixos/doc/manual/release-notes/rl-2009.xml +2 −2 Original line number Diff line number Diff line Loading @@ -427,8 +427,8 @@ php.override { </listitem> <listitem> <para> Add option <literal>services.nginx.enableSandbox</literal> to starting Nginx web server with additional sandbox/hardening options. By default, write access to <literal>services.nginx.stateDir</literal> is allowed. To allow writing to other folders, Nginx web server now starting with additional sandbox/hardening options. By default, write access to <literal>services.nginx.stateDir</literal> is allowed. To allow writing to other folders, use <literal>systemd.services.nginx.serviceConfig.ReadWritePaths</literal> <programlisting> systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; Loading nixos/modules/services/web-servers/nginx/default.nix +0 −9 Original line number Diff line number Diff line Loading @@ -463,14 +463,6 @@ in ''; }; enableSandbox = mkOption { default = false; type = types.bool; description = '' Starting Nginx web server with additional sandbox/hardening options. ''; }; user = mkOption { type = types.str; default = "nginx"; Loading Loading @@ -728,7 +720,6 @@ in CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; # Security NoNewPrivileges = true; } // optionalAttrs cfg.enableSandbox { # Sandboxing ProtectSystem = "strict"; ProtectHome = mkDefault true; Loading nixos/tests/nginx-sandbox.nix +0 −1 Original line number Diff line number Diff line Loading @@ -18,7 +18,6 @@ import ./make-test-python.nix ({ pkgs, ... }: { ]; services.nginx.enable = true; services.nginx.package = pkgs.nginx-lua; services.nginx.enableSandbox = true; services.nginx.virtualHosts.localhost = { extraConfig = '' location /test1-write { Loading Loading
nixos/doc/manual/release-notes/rl-2009.xml +2 −2 Original line number Diff line number Diff line Loading @@ -427,8 +427,8 @@ php.override { </listitem> <listitem> <para> Add option <literal>services.nginx.enableSandbox</literal> to starting Nginx web server with additional sandbox/hardening options. By default, write access to <literal>services.nginx.stateDir</literal> is allowed. To allow writing to other folders, Nginx web server now starting with additional sandbox/hardening options. By default, write access to <literal>services.nginx.stateDir</literal> is allowed. To allow writing to other folders, use <literal>systemd.services.nginx.serviceConfig.ReadWritePaths</literal> <programlisting> systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; Loading
nixos/modules/services/web-servers/nginx/default.nix +0 −9 Original line number Diff line number Diff line Loading @@ -463,14 +463,6 @@ in ''; }; enableSandbox = mkOption { default = false; type = types.bool; description = '' Starting Nginx web server with additional sandbox/hardening options. ''; }; user = mkOption { type = types.str; default = "nginx"; Loading Loading @@ -728,7 +720,6 @@ in CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; # Security NoNewPrivileges = true; } // optionalAttrs cfg.enableSandbox { # Sandboxing ProtectSystem = "strict"; ProtectHome = mkDefault true; Loading
nixos/tests/nginx-sandbox.nix +0 −1 Original line number Diff line number Diff line Loading @@ -18,7 +18,6 @@ import ./make-test-python.nix ({ pkgs, ... }: { ]; services.nginx.enable = true; services.nginx.package = pkgs.nginx-lua; services.nginx.enableSandbox = true; services.nginx.virtualHosts.localhost = { extraConfig = '' location /test1-write { Loading
