From 8ed1d0665e442fb4593a7c266bb250db222fd128 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Mon, 28 Dec 2020 17:04:31 +0000 Subject: [PATCH] pomerium: unbreak LuaJIT --- nix/pkgs/pomerium/module.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nix/pkgs/pomerium/module.nix b/nix/pkgs/pomerium/module.nix index eeb13c9150..14b367f753 100644 --- a/nix/pkgs/pomerium/module.nix +++ b/nix/pkgs/pomerium/module.nix @@ -41,6 +41,7 @@ with lib; StateDirectory = "pomerium"; PrivateUsers = !cfg.bindLowPort; # breaks CAP_NET_BIND_SERVICE + MemoryDenyWriteExecute = false; # breaks LuaJIT NoNewPrivileges = true; PrivateTmp = true; @@ -56,8 +57,8 @@ with lib; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; - MemoryDenyWriteExecute = true; LockPersonality = true; + SystemCallArchitectures = "native"; EnvironmentFile = cfg.secretsFile; AmbientCapabilities = lib.mkIf cfg.bindLowPort [ "CAP_NET_BIND_SERVICE" ];