nixpkgs

mirror of https://github.com/NixOS/nixpkgs.git synced 2025-02-02 18:23:44 +00:00

History

Lin Jian f7baa65db7 nixos/caddy: improve security about acme certs Before this patch, the caddy process has acme in its supplementary group because of the SupplementaryGroups in its service config, which may give it more permission than needed, is inconsistent with the documentation of services.caddy.virtualHosts.<name>.useACMEHost and is redundant since we have mkCertOwnershipAssertion in assertions. This patch fixes these problems by defaulting the group of needed certs to caddy, which is what other web servers like nginx do and deleting SupplementaryGroups config.	2022-06-29 05:41:13 +08:00
..
default.nix	nixos/caddy: improve security about acme certs	2022-06-29 05:41:13 +08:00
vhost-options.nix	nixos/caddy: improve security about acme certs	2022-06-29 05:41:13 +08:00

nixos/caddy: improve security about acme certs

Before this patch, the caddy process has acme in its supplementary
group because of the SupplementaryGroups in its service config, which
may give it more permission than needed, is inconsistent with the
documentation of services.caddy.virtualHosts.<name>.useACMEHost and is
redundant since we have mkCertOwnershipAssertion in assertions.

This patch fixes these problems by defaulting the group of needed
certs to caddy, which is what other web servers like nginx do and
deleting SupplementaryGroups config.

2022-06-29 05:41:13 +08:00

default.nix

nixos/caddy: improve security about acme certs

2022-06-29 05:41:13 +08:00

vhost-options.nix

nixos/caddy: improve security about acme certs

2022-06-29 05:41:13 +08:00