about summary refs log tree commit diff
path: root/nixos
diff options
context:
space:
mode:
authorFlorian Klink <flokli@flokli.de>2020-09-10 20:33:25 +0200
committerGitHub <noreply@github.com>2020-09-10 20:33:25 +0200
commit484632983ffd5cf5faa864c551386b92459a255b (patch)
treee4634d83fe889f7f399458fcc58012c001cc7a86 /nixos
parent20e90aac2e5ce9b44398faaf5cc971e4d09d305a (diff)
parent535896671b66d308df3ce467c94f8a9fecfdffea (diff)
Merge pull request #97631 from Izorkin/nginx-sandboxing
nixos/nginx: remove option enableSandbox
Diffstat (limited to 'nixos')
-rw-r--r--nixos/doc/manual/release-notes/rl-2009.xml4
-rw-r--r--nixos/modules/services/web-servers/nginx/default.nix9
-rw-r--r--nixos/tests/nginx-sandbox.nix1
3 files changed, 2 insertions, 12 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml
index 87eeadbe13a6a..7020bb70c57da 100644
--- a/nixos/doc/manual/release-notes/rl-2009.xml
+++ b/nixos/doc/manual/release-notes/rl-2009.xml
@@ -427,8 +427,8 @@ php.override {
    </listitem>
    <listitem>
      <para>
-       Add option <literal>services.nginx.enableSandbox</literal> to starting Nginx web server with additional sandbox/hardening options.
-       By default, write access to <literal>services.nginx.stateDir</literal> is allowed. To allow writing to other folders,
+       Nginx web server now starting with additional sandbox/hardening options. By default, write access
+       to <literal>services.nginx.stateDir</literal> is allowed. To allow writing to other folders,
        use <literal>systemd.services.nginx.serviceConfig.ReadWritePaths</literal>
        <programlisting>
 systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
index 975b56d478229..39bcb14e5afe8 100644
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@@ -463,14 +463,6 @@ in
         '';
       };
 
-      enableSandbox = mkOption {
-        default = false;
-        type = types.bool;
-        description = ''
-          Starting Nginx web server with additional sandbox/hardening options.
-        '';
-      };
-
       user = mkOption {
         type = types.str;
         default = "nginx";
@@ -728,7 +720,6 @@ in
         CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
         # Security
         NoNewPrivileges = true;
-      } // optionalAttrs cfg.enableSandbox {
         # Sandboxing
         ProtectSystem = "strict";
         ProtectHome = mkDefault true;
diff --git a/nixos/tests/nginx-sandbox.nix b/nixos/tests/nginx-sandbox.nix
index bc9d3ba8add7e..514318c9456c4 100644
--- a/nixos/tests/nginx-sandbox.nix
+++ b/nixos/tests/nginx-sandbox.nix
@@ -18,7 +18,6 @@ import ./make-test-python.nix ({ pkgs, ... }: {
     ];
     services.nginx.enable = true;
     services.nginx.package = pkgs.nginx-lua;
-    services.nginx.enableSandbox = true;
     services.nginx.virtualHosts.localhost = {
       extraConfig = ''
         location /test1-write {
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-09-19 06:53:05 +0000