summary refs log tree commit diff
path: root/nixos/modules/services/web-servers/nginx
diff options
context:
space:
mode:
authorFranz Pletz <fpletz@fnordicwalking.de>2019-12-26 14:16:15 +0100
committerFranz Pletz <fpletz@fnordicwalking.de>2019-12-26 14:17:36 +0100
commit77b6c3cd06a679140fb5a44f81f904497007f333 (patch)
treee8ed1606b326cdafba719cc2a14c527c1b601f2e /nixos/modules/services/web-servers/nginx
parent602bccd1a8262d4e6bd787838d21fc3c2c1c50ba (diff)
parent4d2dd1554618831f0a5b159b8a4dff86612c02a9 (diff)
downloadnixpkgs-77b6c3cd06a679140fb5a44f81f904497007f333.tar
nixpkgs-77b6c3cd06a679140fb5a44f81f904497007f333.tar.gz
nixpkgs-77b6c3cd06a679140fb5a44f81f904497007f333.tar.bz2
nixpkgs-77b6c3cd06a679140fb5a44f81f904497007f333.tar.lz
nixpkgs-77b6c3cd06a679140fb5a44f81f904497007f333.tar.xz
nixpkgs-77b6c3cd06a679140fb5a44f81f904497007f333.tar.zst
nixpkgs-77b6c3cd06a679140fb5a44f81f904497007f333.zip
Merge remote-tracking branch 'origin/master' into gcc-9
Diffstat (limited to 'nixos/modules/services/web-servers/nginx')
-rw-r--r--nixos/modules/services/web-servers/nginx/default.nix32


-rw-r--r--nixos/modules/services/web-servers/nginx/location-options.nix5


-rw-r--r--nixos/modules/services/web-servers/nginx/vhost-options.nix3


3 files changed, 24 insertions, 16 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
index eb90dae94df..ada7a25604c 100644
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@@ -47,7 +47,7 @@ let
   ''));
 
   configFile = pkgs.writers.writeNginxConfig "nginx.conf" ''
-    user ${cfg.user} ${cfg.group};
+    pid /run/nginx/nginx.pid;
     error_log ${cfg.logError};
     daemon off;
 
@@ -366,12 +366,7 @@ in
 
       preStart =  mkOption {
         type = types.lines;
-        default = ''
-          test -d ${cfg.stateDir}/logs || mkdir -m 750 -p ${cfg.stateDir}/logs
-          test `stat -c %a ${cfg.stateDir}` = "750" || chmod 750 ${cfg.stateDir}
-          test `stat -c %a ${cfg.stateDir}/logs` = "750" || chmod 750 ${cfg.stateDir}/logs
-          chown -R ${cfg.user}:${cfg.group} ${cfg.stateDir}
-        '';
+        default = "";
         description = "
           Shell commands executed before the service's nginx is started.
         ";
@@ -673,23 +668,36 @@ in
       }
     ];
 
+    systemd.tmpfiles.rules = [
+      "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -"
+      "d '${cfg.stateDir}/logs' 0750 ${cfg.user} ${cfg.group} - -"
+      "Z '${cfg.stateDir}' - ${cfg.user} ${cfg.group} - -"
+    ];
+
     systemd.services.nginx = {
       description = "Nginx Web Server";
       wantedBy = [ "multi-user.target" ];
       wants = concatLists (map (vhostConfig: ["acme-${vhostConfig.serverName}.service" "acme-selfsigned-${vhostConfig.serverName}.service"]) acmeEnabledVhosts);
       after = [ "network.target" ] ++ map (vhostConfig: "acme-selfsigned-${vhostConfig.serverName}.service") acmeEnabledVhosts;
       stopIfChanged = false;
-      preStart =
-        ''
+      preStart = ''
         ${cfg.preStart}
-        ${cfg.package}/bin/nginx -c ${configPath} -p ${cfg.stateDir} -t
-        '';
+        ${cfg.package}/bin/nginx -c '${configPath}' -p '${cfg.stateDir}' -t
+      '';
       serviceConfig = {
-        ExecStart = "${cfg.package}/bin/nginx -c ${configPath} -p ${cfg.stateDir}";
+        ExecStart = "${cfg.package}/bin/nginx -c '${configPath}' -p '${cfg.stateDir}'";
         ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
         Restart = "always";
         RestartSec = "10s";
         StartLimitInterval = "1min";
+        # User and group
+        User = cfg.user;
+        Group = cfg.group;
+        # Runtime directory and mode
+        RuntimeDirectory = "nginx";
+        RuntimeDirectoryMode = "0750";
+        # Capabilities
+        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
       };
     };
 
diff --git a/nixos/modules/services/web-servers/nginx/location-options.nix b/nixos/modules/services/web-servers/nginx/location-options.nix
index aeb9b1dd79e..3d9e391ecf2 100644
--- a/nixos/modules/services/web-servers/nginx/location-options.nix
+++ b/nixos/modules/services/web-servers/nginx/location-options.nix
@@ -1,4 +1,4 @@
-# This file defines the options that can be used both for the Apache
+# This file defines the options that can be used both for the Nginx
 # main server configuration, and for the virtual hosts.  (The latter
 # has additional options that affect the web server as a whole, like
 # the user/group to run under.)
@@ -67,7 +67,7 @@ with lib;
     return = mkOption {
       type = types.nullOr types.str;
       default = null;
-      example = "301 http://example.com$request_uri;";
+      example = "301 http://example.com$request_uri";
       description = ''
         Adds a return directive, for e.g. redirections.
       '';
@@ -92,4 +92,3 @@ with lib;
     };
   };
 }
-
diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix
index 15b933c984a..455854e2a96 100644
--- a/nixos/modules/services/web-servers/nginx/vhost-options.nix
+++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix
@@ -1,4 +1,4 @@
-# This file defines the options that can be used both for the Apache
+# This file defines the options that can be used both for the Nginx
 # main server configuration, and for the virtual hosts.  (The latter
 # has additional options that affect the web server as a whole, like
 # the user/group to run under.)
@@ -207,6 +207,7 @@ with lib;
       default = null;
       description = ''
         Basic Auth password file for a vhost.
+        Can be created via: <command>htpasswd -c &lt;filename&gt; &lt;username&gt;</command>
       '';
     };
 

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-21 21:12:40 +0000