From 7d2829c0a004e9ee27115be0bc41c2e7787675cb Mon Sep 17 00:00:00 2001
From: Matthias Treydte <mt@waldheinz.de>
Date: Thu, 28 Jan 2021 13:05:53 +0100
Subject: [PATCH] nixos/nginx: fix MemoryDenyWriteExecute not being disabled
 when needed

The expression should check if the actually used nginx package
needes write+execute rights, not the default pkgs.nginx (which
has no modules unless overridden in an overlay).

Having MemoryDenyWriteExecute always true causes e.g. the Lua
module to fail (because JIT compilation).
---
 nixos/modules/services/web-servers/nginx/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
index d6f463be9e8..e6797fecc1a 100644
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@@ -801,7 +801,7 @@ in
         ProtectControlGroups = true;
         RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
         LockPersonality = true;
-        MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) pkgs.nginx.modules);
+        MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) cfg.package.modules);
         RestrictRealtime = true;
         RestrictSUIDSGID = true;
         PrivateMounts = true;