diff options
author | Frederik Rietdijk <fridh@fridh.nl> | 2020-05-14 09:25:16 +0200 |
---|---|---|
committer | Frederik Rietdijk <fridh@fridh.nl> | 2020-05-14 09:25:25 +0200 |
commit | 92a26320e7b9bbfe781e222a17c518443f63316a (patch) | |
tree | db6e4fe7706ec8c065d7efe10e93b38ea1b149ba /nixos/modules/services/web-servers/nginx/default.nix | |
parent | 2006fd4fc5a20c72ab2166b2b4039307f4f54bcb (diff) | |
parent | 85a05878846b75254f97b8690c18a470cfe982f0 (diff) | |
download | nixlib-92a26320e7b9bbfe781e222a17c518443f63316a.tar nixlib-92a26320e7b9bbfe781e222a17c518443f63316a.tar.gz nixlib-92a26320e7b9bbfe781e222a17c518443f63316a.tar.bz2 nixlib-92a26320e7b9bbfe781e222a17c518443f63316a.tar.lz nixlib-92a26320e7b9bbfe781e222a17c518443f63316a.tar.xz nixlib-92a26320e7b9bbfe781e222a17c518443f63316a.tar.zst nixlib-92a26320e7b9bbfe781e222a17c518443f63316a.zip |
Merge master into staging-next
Diffstat (limited to 'nixos/modules/services/web-servers/nginx/default.nix')
-rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 1e9cda7e4785..312d2b0a21a7 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -463,6 +463,14 @@ in ''; }; + enableSandbox = mkOption { + default = false; + type = types.bool; + description = '' + Starting Nginx web server with additional sandbox/hardening options. + ''; + }; + user = mkOption { type = types.str; default = "nginx"; @@ -710,6 +718,27 @@ in LogsDirectoryMode = "0750"; # Capabilities AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; + # Security + NoNewPrivileges = true; + } // optionalAttrs cfg.enableSandbox { + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = mkDefault true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + LockPersonality = true; + MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) pkgs.nginx.modules); + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; }; }; |