diff options
author | Izorkin <izorkin@elven.pw> | 2020-05-12 15:02:57 +0300 |
---|---|---|
committer | Izorkin <izorkin@elven.pw> | 2020-05-12 20:03:29 +0300 |
commit | 94391fce1d5c4580482271c2b49ecffdef38b017 (patch) | |
tree | 4e3d9ca49acbb82a3861533ca1465c4a231a3fee /nixos/modules | |
parent | aa12fb8adb312943a0ce8a059ce47733249eb5fe (diff) | |
download | nixlib-94391fce1d5c4580482271c2b49ecffdef38b017.tar nixlib-94391fce1d5c4580482271c2b49ecffdef38b017.tar.gz nixlib-94391fce1d5c4580482271c2b49ecffdef38b017.tar.bz2 nixlib-94391fce1d5c4580482271c2b49ecffdef38b017.tar.lz nixlib-94391fce1d5c4580482271c2b49ecffdef38b017.tar.xz nixlib-94391fce1d5c4580482271c2b49ecffdef38b017.tar.zst nixlib-94391fce1d5c4580482271c2b49ecffdef38b017.zip |
nixos/nginx: add option enableSandbox
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 75fe1df506b3..312d2b0a21a7 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -463,6 +463,14 @@ in ''; }; + enableSandbox = mkOption { + default = false; + type = types.bool; + description = '' + Starting Nginx web server with additional sandbox/hardening options. + ''; + }; + user = mkOption { type = types.str; default = "nginx"; @@ -713,6 +721,7 @@ in CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; # Security NoNewPrivileges = true; + } // optionalAttrs cfg.enableSandbox { # Sandboxing ProtectSystem = "strict"; ProtectHome = mkDefault true; |