about summary refs log tree commit diff
path: root/nixos/modules/services/web-servers/nginx/default.nix
diff options
context:
space:
mode:
authorFrederik Rietdijk <fridh@fridh.nl>2020-05-14 09:25:16 +0200
committerFrederik Rietdijk <fridh@fridh.nl>2020-05-14 09:25:25 +0200
commit92a26320e7b9bbfe781e222a17c518443f63316a (patch)
treedb6e4fe7706ec8c065d7efe10e93b38ea1b149ba /nixos/modules/services/web-servers/nginx/default.nix
parent2006fd4fc5a20c72ab2166b2b4039307f4f54bcb (diff)
parent85a05878846b75254f97b8690c18a470cfe982f0 (diff)
downloadnixlib-92a26320e7b9bbfe781e222a17c518443f63316a.tar
nixlib-92a26320e7b9bbfe781e222a17c518443f63316a.tar.gz
nixlib-92a26320e7b9bbfe781e222a17c518443f63316a.tar.bz2
nixlib-92a26320e7b9bbfe781e222a17c518443f63316a.tar.lz
nixlib-92a26320e7b9bbfe781e222a17c518443f63316a.tar.xz
nixlib-92a26320e7b9bbfe781e222a17c518443f63316a.tar.zst
nixlib-92a26320e7b9bbfe781e222a17c518443f63316a.zip
Merge master into staging-next
Diffstat (limited to 'nixos/modules/services/web-servers/nginx/default.nix')
-rw-r--r--nixos/modules/services/web-servers/nginx/default.nix29


1 files changed, 29 insertions, 0 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
index 1e9cda7e4785..312d2b0a21a7 100644
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@@ -463,6 +463,14 @@ in
         '';
       };
 
+      enableSandbox = mkOption {
+        default = false;
+        type = types.bool;
+        description = ''
+          Starting Nginx web server with additional sandbox/hardening options.
+        '';
+      };
+
       user = mkOption {
         type = types.str;
         default = "nginx";
@@ -710,6 +718,27 @@ in
         LogsDirectoryMode = "0750";
         # Capabilities
         AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
+        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
+        # Security
+        NoNewPrivileges = true;
+      } // optionalAttrs cfg.enableSandbox {
+        # Sandboxing
+        ProtectSystem = "strict";
+        ProtectHome = mkDefault true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        ProtectHostname = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectControlGroups = true;
+        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+        LockPersonality = true;
+        MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) pkgs.nginx.modules);
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        PrivateMounts = true;
+        # System Call Filtering
+        SystemCallArchitectures = "native";
       };
     };
 

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-08-04 08:51:27 +0000