Nginx: Difference between revisions

← Older edit Newer edit →

VisualWikitext

@@ Line 148: / Line 148: @@
 <syntaxhighlight lang="nix">
-security.pam.services.nginx.setEnvironment = false;
+  security.pam.services.nginx.setEnvironment = false;
+  systemd.services.nginx.serviceConfig = {
+    SupplementaryGroups = [ "shadow" ];
+    NoNewPrivileges = lib.mkForce false;
+    PrivateDevices = lib.mkForce false;
+    ProtectHostname = lib.mkForce false;
+    ProtectKernelTunables = lib.mkForce false;
+    ProtectKernelModules = lib.mkForce false;
+    RestrictAddressFamilies = lib.mkForce [ ];
+    LockPersonality = lib.mkForce false;
+    MemoryDenyWriteExecute = lib.mkForce false;
+    RestrictRealtime = lib.mkForce false;
+    RestrictSUIDSGID = lib.mkForce false;
+    SystemCallArchitectures = lib.mkForce "";
+    ProtectClock = lib.mkForce false;
+    ProtectKernelLogs = lib.mkForce false;
+    RestrictNamespaces = lib.mkForce false;
+    SystemCallFilter = lib.mkForce "";
+  };
-services.nginx = {
+  services.nginx = {
-  package = (pkgs.nginx.override { modules = [ pkgs.nginxModules.pam ]; });  # add PAM module
+    enable = true;
+    additionalModules = [ pkgs.nginxModules.pam ];
+    ...
+    virtualHosts."example.com".extraConfig = ''
+      auth_pam  "Password Required";
+      auth_pam_service_name "nginx";
+    '';
+    ...
+    };
+  };
-  ...
-  virtualHosts."example.com".extraConfig = ''
-    auth_pam  "Password Required";
-    auth_pam_service_name "nginx";
-  '';
-};
 </syntaxhighlight>