pomerium: unbreak LuaJIT
This commit is contained in:
parent
d3f6442301
commit
8ed1d0665e
1 changed files with 2 additions and 1 deletions
|
@ -41,6 +41,7 @@ with lib;
|
|||
StateDirectory = "pomerium";
|
||||
|
||||
PrivateUsers = !cfg.bindLowPort; # breaks CAP_NET_BIND_SERVICE
|
||||
MemoryDenyWriteExecute = false; # breaks LuaJIT
|
||||
|
||||
NoNewPrivileges = true;
|
||||
PrivateTmp = true;
|
||||
|
@ -56,8 +57,8 @@ with lib;
|
|||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
LockPersonality = true;
|
||||
SystemCallArchitectures = "native";
|
||||
|
||||
EnvironmentFile = cfg.secretsFile;
|
||||
AmbientCapabilities = lib.mkIf cfg.bindLowPort [ "CAP_NET_BIND_SERVICE" ];
|
||||
|
|
Loading…
Reference in a new issue