diff options
author | Florian Klink <flokli@flokli.de> | 2020-09-10 20:33:25 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-09-10 20:33:25 +0200 |
commit | 484632983ffd5cf5faa864c551386b92459a255b (patch) | |
tree | e4634d83fe889f7f399458fcc58012c001cc7a86 /nixos | |
parent | 20e90aac2e5ce9b44398faaf5cc971e4d09d305a (diff) | |
parent | 535896671b66d308df3ce467c94f8a9fecfdffea (diff) |
Merge pull request #97631 from Izorkin/nginx-sandboxing
nixos/nginx: remove option enableSandbox
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2009.xml | 4 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 9 | ||||
-rw-r--r-- | nixos/tests/nginx-sandbox.nix | 1 |
3 files changed, 2 insertions, 12 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index 87eeadbe13a6a..7020bb70c57da 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -427,8 +427,8 @@ php.override { </listitem> <listitem> <para> - Add option <literal>services.nginx.enableSandbox</literal> to starting Nginx web server with additional sandbox/hardening options. - By default, write access to <literal>services.nginx.stateDir</literal> is allowed. To allow writing to other folders, + Nginx web server now starting with additional sandbox/hardening options. By default, write access + to <literal>services.nginx.stateDir</literal> is allowed. To allow writing to other folders, use <literal>systemd.services.nginx.serviceConfig.ReadWritePaths</literal> <programlisting> systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 975b56d478229..39bcb14e5afe8 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -463,14 +463,6 @@ in ''; }; - enableSandbox = mkOption { - default = false; - type = types.bool; - description = '' - Starting Nginx web server with additional sandbox/hardening options. - ''; - }; - user = mkOption { type = types.str; default = "nginx"; @@ -728,7 +720,6 @@ in CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; # Security NoNewPrivileges = true; - } // optionalAttrs cfg.enableSandbox { # Sandboxing ProtectSystem = "strict"; ProtectHome = mkDefault true; diff --git a/nixos/tests/nginx-sandbox.nix b/nixos/tests/nginx-sandbox.nix index bc9d3ba8add7e..514318c9456c4 100644 --- a/nixos/tests/nginx-sandbox.nix +++ b/nixos/tests/nginx-sandbox.nix @@ -18,7 +18,6 @@ import ./make-test-python.nix ({ pkgs, ... }: { ]; services.nginx.enable = true; services.nginx.package = pkgs.nginx-lua; - services.nginx.enableSandbox = true; services.nginx.virtualHosts.localhost = { extraConfig = '' location /test1-write { |