about summary refs log tree commit diff
path: root/nixos/modules/services/web-servers
diff options
context:
space:
mode:
authorIzorkin <izorkin@elven.pw>2020-05-12 15:02:57 +0300
committerIzorkin <izorkin@elven.pw>2020-05-12 20:03:29 +0300
commit94391fce1d5c4580482271c2b49ecffdef38b017 (patch)
tree4e3d9ca49acbb82a3861533ca1465c4a231a3fee /nixos/modules/services/web-servers
parentaa12fb8adb312943a0ce8a059ce47733249eb5fe (diff)
downloadnixlib-94391fce1d5c4580482271c2b49ecffdef38b017.tar
nixlib-94391fce1d5c4580482271c2b49ecffdef38b017.tar.gz
nixlib-94391fce1d5c4580482271c2b49ecffdef38b017.tar.bz2
nixlib-94391fce1d5c4580482271c2b49ecffdef38b017.tar.lz
nixlib-94391fce1d5c4580482271c2b49ecffdef38b017.tar.xz
nixlib-94391fce1d5c4580482271c2b49ecffdef38b017.tar.zst
nixlib-94391fce1d5c4580482271c2b49ecffdef38b017.zip
nixos/nginx: add option enableSandbox
Diffstat (limited to 'nixos/modules/services/web-servers')
-rw-r--r--nixos/modules/services/web-servers/nginx/default.nix9


1 files changed, 9 insertions, 0 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
index 75fe1df506b3..312d2b0a21a7 100644
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@@ -463,6 +463,14 @@ in
         '';
       };
 
+      enableSandbox = mkOption {
+        default = false;
+        type = types.bool;
+        description = ''
+          Starting Nginx web server with additional sandbox/hardening options.
+        '';
+      };
+
       user = mkOption {
         type = types.str;
         default = "nginx";
@@ -713,6 +721,7 @@ in
         CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
         # Security
         NoNewPrivileges = true;
+      } // optionalAttrs cfg.enableSandbox {
         # Sandboxing
         ProtectSystem = "strict";
         ProtectHome = mkDefault true;

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-22 05:31:12 +0000