| Commit message (Collapse) | Author | Age |
|---|
| |\ |
|
| | |\
| | |
| | | |
nixos/minio: replace deprecated variables
|
| | | | |
|
| |\| | |
|
| | |\ \ |
|
| | | | | |
|
| |/ / / |
|
| |\| | |
|
| | |/ |
|
| | | |
|
| |/ |
|
| | |
|
| |\
| |
| | |
treewide: remove duplicates SystemCallFilters
|
| | | |
|
| | |
| |
| |
| |
| | |
As of 67a5d66 this is no longer true, since acme postRun runs as root.
The idea of the service is good so reword a comment a bit.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
`allowKeysForGroup` is no longer available so this drops
```
security.acme.certs."example.com".allowKeysForGroup = true;
```
line. `SupplementaryGroups` should be enough for
allowing access to certificates.
|
| |\ \
| | |
| | | |
nixos/nginx: add option to change proxy timeouts
|
| | | | |
|
| |\ \ \
| |/ /
|/| | |
treewide: remove gnidorah
|
| | | |
| | |
| | |
| | | |
due to github account removal/deletion and not other mean of contact.
|
| |\ \ \
| | | |
| | | | |
nixos/caddy: support user and group options
|
| | | |/
| |/| |
|
| |\ \ \
| |/ /
|/| | |
nixos/httpd: provide a stable path stable path to the configuration f…
|
| | |/
| |
| |
| | |
reloads
|
| |\ \
| | |
| | | |
nixos/trafficserver: init
|
| | | | |
|
| | |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- Set an explicit umask that allows u+rwx and g+r.
- Adds `ProtectControlGroups` and `ProtectKernelLogs`, there should be
no need to access either.
- Adds `ProtectClock` to prevent write-access to the system clock.
- `ProtectProc` hides processes from other users within the /proc
filesystem and `ProcSubSet` hides all files/directories unrelated to
the process management of the units process.
- Sets `RemoveIPC`, as there is no SysV or POSIX IPC within nginx that I
know of.
- Restricts the creation of arbitrary namespaces
- Adds a reasonable `SystemCallFilter` preventing calls to @privileged,
@obsolete and others.
And finally applies some sorting based on the order these options appear
in systemd.exec(5).
|
| |\ \
| | |
| | | |
nixos/nginx: set isSystemUser
|
| | | | |
|
| |/ /
| |
| |
| | |
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* nixos/nginx: add upstreams examples
I am not fully sure if they are fully correct but they deployed the right syntax.
* nixos/nginx: use literal example
* Update nixos/modules/services/web-servers/nginx/default.nix
* Update nixos/modules/services/web-servers/nginx/default.nix
|
| | |
| |
| |
| | |
This reverts commit 2d3200e010cc4c6fae62d9f6c31357cb97d606d4.
|
| |\ \
| | |
| | | |
nixos/minio: allow multiple data directories for erasure coding
|
| | |/ |
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| | |
This allows http keep-alive by default which requires http 1.1.
|
| |\ \
| | |
| | | |
discourse: Add package and NixOS module
|
| | | | |
|
| | |/
|/|
| |
| |
| | |
useACMEHost doesn't work properly, because I forgot to actually define
the variable that is being relied upon here. Oops.
|
| | |
| |
| |
| |
| |
| | |
According to the nginx documentation [1] those values cannot usually exceed 75 seconds.
The defaults are 60s and should probably be lowered to something reasonable like 20 or 30 seconds.
[1] https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_connect_timeout
|
| | | |
|
| |/ |
|
| | |
|
| |\
| |
| | |
nixos/nginx: fix MemoryDenyWriteExecute not being disabled when needed
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
The expression should check if the actually used nginx package
needes write+execute rights, not the default pkgs.nginx (which
has no modules unless overridden in an overlay).
Having MemoryDenyWriteExecute always true causes e.g. the Lua
module to fail (because JIT compilation).
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Account for the fact that, when creating a lua package without the
"withPackages" helper, we dont get an extra "lua" attribute in the
package.
Therefore we need to distinguish between the "withPackages" case and the
direct ( or "empty" ) lua package.
For example with this nixos config:
```nix
{
services.httpd = {
enable = true;
package = pkgs.apacheHttpd.override {
luaSupport = true;
lua5 = pkgs.lua5_3.withPackages (ps: with ps; [ luafilesystem ] );
};
};
}
```
Here we say that we want to have apache to use a lua, packaged with the
`luafilesystem` module so that we can `require` that in scripts to
render http responses. There, the set that gets assigned to `lua5 ` does
not have a `luaversion` attribute, rather it has a `lua` attribute
wherein lies a `luaversion` attribute. If we dont package additional
modules, then we dont have that `lua` attribute in between and rather
directly have to use `luaversion` directly.
|
| |\ \
| | |
| | | |
nixos/nginx: serve unknown MIME-Types as binary
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
The built-in default for unknown MIME-Types is `text/plain` whereas the
upstream default config changes it to `application/octet-stream`. By
changing the default tpye, unknown files will be downloaded by browsers
instead of being displayed.
|
| | | | |
|