From d56514c76a3a2f3c1523936ea00b620b4d7b2cad Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sat, 15 Aug 2020 11:08:22 +0300 Subject: [PATCH 1/2] unit: 1.18.0 -> 1.19.0 --- pkgs/servers/http/unit/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/servers/http/unit/default.nix b/pkgs/servers/http/unit/default.nix index 913ed201f48..2f73a5d9243 100644 --- a/pkgs/servers/http/unit/default.nix +++ b/pkgs/servers/http/unit/default.nix @@ -8,7 +8,7 @@ , withPerldevel ? false, perldevel , withRuby_2_5 ? false, ruby_2_5 , withRuby_2_6 ? true, ruby_2_6 -, withRuby_2_7 ? true, ruby_2_7 +, withRuby_2_7 ? false, ruby_2_7 , withSSL ? true, openssl ? null , withIPv6 ? true , withDebug ? false @@ -30,14 +30,14 @@ let php74-unit = php74.override phpConfig; in stdenv.mkDerivation rec { - version = "1.18.0"; + version = "1.19.0"; pname = "unit"; src = fetchFromGitHub { owner = "nginx"; repo = "unit"; rev = version; - sha256 = "0r2l3ra63qjjbpjzrmx75jp9fvz83yis4j3qxqdnmxm77psykwy8"; + sha256 = "0k3q42q198sb0w6hyyymw92dbhz67axn6w6vnzr0d883xw3sva7k"; }; nativeBuildInputs = [ which ]; From 26898b851803f046faa70c5e254dabfaf8af3de7 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sat, 15 Aug 2020 11:13:44 +0300 Subject: [PATCH 2/2] nixos/unit: update sandboxing options --- nixos/modules/services/web-servers/unit/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nixos/modules/services/web-servers/unit/default.nix b/nixos/modules/services/web-servers/unit/default.nix index 65dcdbed000..894271d1e55 100644 --- a/nixos/modules/services/web-servers/unit/default.nix +++ b/nixos/modules/services/web-servers/unit/default.nix @@ -120,9 +120,12 @@ in { ProtectHome = true; PrivateTmp = true; PrivateDevices = true; + PrivateUsers = false; ProtectHostname = true; + ProtectClock = true; ProtectKernelTunables = true; ProtectKernelModules = true; + ProtectKernelLogs = true; ProtectControlGroups = true; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; LockPersonality = true;