diff options
author | Lucas Savva <lucas@m1cr0man.com> | 2021-12-18 14:52:32 +0000 |
---|---|---|
committer | Lucas Savva <lucas@m1cr0man.com> | 2021-12-26 16:49:59 +0000 |
commit | 65f1b8c6ae2f2cf6a13d77b98b42eba31eef0424 (patch) | |
tree | 652f77c0cd5bf2d652b49e4eb2f0ec09f917f6c5 /nixos/modules | |
parent | 2dcc3daadf3718b3b0216d4cfbaab9040a9beffd (diff) | |
download | nixpkgs-65f1b8c6ae2f2cf6a13d77b98b42eba31eef0424.tar nixpkgs-65f1b8c6ae2f2cf6a13d77b98b42eba31eef0424.tar.gz nixpkgs-65f1b8c6ae2f2cf6a13d77b98b42eba31eef0424.tar.bz2 nixpkgs-65f1b8c6ae2f2cf6a13d77b98b42eba31eef0424.tar.lz nixpkgs-65f1b8c6ae2f2cf6a13d77b98b42eba31eef0424.tar.xz nixpkgs-65f1b8c6ae2f2cf6a13d77b98b42eba31eef0424.tar.zst nixpkgs-65f1b8c6ae2f2cf6a13d77b98b42eba31eef0424.zip |
nixos/acme: Add test for lego's built-in web server
In the process I also found that the CapabilityBoundingSet was restricting the service from listening on port 80, and the AmbientCapabilities was ineffective. Fixed appropriately.
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/security/acme.nix | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 2b3a86f96fc..e244989d640 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -324,7 +324,7 @@ let fi ''); } // optionalAttrs (data.listenHTTP != null && toInt (elemAt (splitString ":" data.listenHTTP) 1) < 1024) { - AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; }; # Working directory will be /tmp |