manual: nginx: Mention ProtectHome in release notes. See #85567.

See https://github.com/NixOS/nixpkgs/pull/85567#pullrequestreview-525820684
author: Niklas Hambüchen <mail@nh2.me> 2020-11-08 16:58:58 +0100
committer: Niklas Hambüchen <mail@nh2.me> 2020-11-08 17:03:07 +0100
commit: 2f845dccbf525cbf79ac64629e9eb932f56dc86f (patch)
tree: f03f70c92a559e19f2fc00e0bd58d65ccedf813d /nixos/doc
parent: 34ad166a830d3ac1541dcce571c52231f2f0865a (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml
index 01f113198eb92..5845cc48c545f 100644
--- a/nixos/doc/manual/release-notes/rl-2009.xml
+++ b/nixos/doc/manual/release-notes/rl-2009.xml
@@ -885,6 +885,17 @@ php.override {
 systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
        </programlisting>
      </para>
+     <para>
+       Nginx is also started with the systemd option <literal>ProtectHome = mkDefault true;</literal>
+       which forbids it to read anything from <literal>/home</literal>, <literal>/root</literal>
+       and <literal>/run/user</literal> (see
+       <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=">ProtectHome docs</link>
+       for details).
+       If you require serving files from home directories, you may choose to set e.g.
+<programlisting>
+systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
+</programlisting>
+     </para>
    </listitem>
    <listitem>
     <para>
author	Niklas Hambüchen <mail@nh2.me>	2020-11-08 16:58:58 +0100
committer	Niklas Hambüchen <mail@nh2.me>	2020-11-08 17:03:07 +0100
commit	2f845dccbf525cbf79ac64629e9eb932f56dc86f (patch)
tree	f03f70c92a559e19f2fc00e0bd58d65ccedf813d /nixos/doc
parent	34ad166a830d3ac1541dcce571c52231f2f0865a (diff)