Loading nixos/modules/services/web-servers/nginx/default.nix +28 −2 Original line number Diff line number Diff line Loading @@ -146,6 +146,10 @@ let error_log ${cfg.logError}; daemon off; ${optionalString cfg.enableQuicBPF '' quic_bpf on; ''} ${cfg.config} ${optionalString (cfg.eventsConfig != "" || cfg.config == "") '' Loading Loading @@ -783,6 +787,19 @@ in ''; }; enableQuicBPF = mkOption { default = false; type = types.bool; description = lib.mdDoc '' Enables routing of QUIC packets using eBPF. When enabled, this allows to support QUIC connection migration. The directive is only supported on Linux 5.7+. Note that enabling this option will make nginx run with extended capabilities that are usually limited to processes running as root namely `CAP_SYS_ADMIN` and `CAP_NET_ADMIN`. ''; }; user = mkOption { type = types.str; default = "nginx"; Loading Loading @@ -1125,6 +1142,14 @@ in ''; } { assertion = cfg.package.pname != "nginxQuic" -> !(cfg.enableQuicBPF); message = '' services.nginx.enableQuicBPF requires using nginxQuic package, which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`. ''; } { assertion = cfg.package.pname != "nginxQuic" -> all (host: !host.quic) (attrValues virtualHosts); message = '' Loading Loading @@ -1224,8 +1249,8 @@ in # New file permissions UMask = "0027"; # 0640 / 0750 # Capabilities AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ] ++ optionals cfg.enableQuicBPF [ "CAP_SYS_ADMIN" "CAP_NET_ADMIN" ]; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ] ++ optionals cfg.enableQuicBPF [ "CAP_SYS_ADMIN" "CAP_NET_ADMIN" ]; # Security NoNewPrivileges = true; # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html) Loading @@ -1250,6 +1275,7 @@ in # System Call Filtering SystemCallArchitectures = "native"; SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ] ++ optional cfg.enableQuicBPF [ "bpf" ] ++ optionals ((cfg.package != pkgs.tengine) && (cfg.package != pkgs.openresty) && (!lib.any (mod: (mod.disableIPC or false)) cfg.package.modules)) [ "~@ipc" ]; }; }; Loading Loading
nixos/modules/services/web-servers/nginx/default.nix +28 −2 Original line number Diff line number Diff line Loading @@ -146,6 +146,10 @@ let error_log ${cfg.logError}; daemon off; ${optionalString cfg.enableQuicBPF '' quic_bpf on; ''} ${cfg.config} ${optionalString (cfg.eventsConfig != "" || cfg.config == "") '' Loading Loading @@ -783,6 +787,19 @@ in ''; }; enableQuicBPF = mkOption { default = false; type = types.bool; description = lib.mdDoc '' Enables routing of QUIC packets using eBPF. When enabled, this allows to support QUIC connection migration. The directive is only supported on Linux 5.7+. Note that enabling this option will make nginx run with extended capabilities that are usually limited to processes running as root namely `CAP_SYS_ADMIN` and `CAP_NET_ADMIN`. ''; }; user = mkOption { type = types.str; default = "nginx"; Loading Loading @@ -1125,6 +1142,14 @@ in ''; } { assertion = cfg.package.pname != "nginxQuic" -> !(cfg.enableQuicBPF); message = '' services.nginx.enableQuicBPF requires using nginxQuic package, which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`. ''; } { assertion = cfg.package.pname != "nginxQuic" -> all (host: !host.quic) (attrValues virtualHosts); message = '' Loading Loading @@ -1224,8 +1249,8 @@ in # New file permissions UMask = "0027"; # 0640 / 0750 # Capabilities AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ] ++ optionals cfg.enableQuicBPF [ "CAP_SYS_ADMIN" "CAP_NET_ADMIN" ]; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ] ++ optionals cfg.enableQuicBPF [ "CAP_SYS_ADMIN" "CAP_NET_ADMIN" ]; # Security NoNewPrivileges = true; # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html) Loading @@ -1250,6 +1275,7 @@ in # System Call Filtering SystemCallArchitectures = "native"; SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ] ++ optional cfg.enableQuicBPF [ "bpf" ] ++ optionals ((cfg.package != pkgs.tengine) && (cfg.package != pkgs.openresty) && (!lib.any (mod: (mod.disableIPC or false)) cfg.package.modules)) [ "~@ipc" ]; }; }; Loading
