summary refs log tree commit diff
path: root/nixos/modules/security/acme.nix
diff options
context:
space:
mode:
authorLucas Savva <lucas@m1cr0man.com>2021-12-18 14:52:32 +0000
committerLucas Savva <lucas@m1cr0man.com>2021-12-26 16:49:59 +0000
commit65f1b8c6ae2f2cf6a13d77b98b42eba31eef0424 (patch)
tree652f77c0cd5bf2d652b49e4eb2f0ec09f917f6c5 /nixos/modules/security/acme.nix
parent2dcc3daadf3718b3b0216d4cfbaab9040a9beffd (diff)
downloadnixpkgs-65f1b8c6ae2f2cf6a13d77b98b42eba31eef0424.tar
nixpkgs-65f1b8c6ae2f2cf6a13d77b98b42eba31eef0424.tar.gz
nixpkgs-65f1b8c6ae2f2cf6a13d77b98b42eba31eef0424.tar.bz2
nixpkgs-65f1b8c6ae2f2cf6a13d77b98b42eba31eef0424.tar.lz
nixpkgs-65f1b8c6ae2f2cf6a13d77b98b42eba31eef0424.tar.xz
nixpkgs-65f1b8c6ae2f2cf6a13d77b98b42eba31eef0424.tar.zst
nixpkgs-65f1b8c6ae2f2cf6a13d77b98b42eba31eef0424.zip
nixos/acme: Add test for lego's built-in web server
In the process I also found that the CapabilityBoundingSet
was restricting the service from listening on port 80, and
the AmbientCapabilities was ineffective. Fixed appropriately.
Diffstat (limited to 'nixos/modules/security/acme.nix')
-rw-r--r--nixos/modules/security/acme.nix2
1 files changed, 1 insertions, 1 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index 2b3a86f96fc..e244989d640 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -324,7 +324,7 @@ let
           fi
         '');
       } // optionalAttrs (data.listenHTTP != null && toInt (elemAt (splitString ":" data.listenHTTP) 1) < 1024) {
-        AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
       };
 
       # Working directory will be /tmp
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-04 08:32:51 +0000