pomerium: unbreak LuaJIT
This commit is contained in:
parent
d3f6442301
commit
8ed1d0665e
1 changed files with 2 additions and 1 deletions
|
@ -41,6 +41,7 @@ with lib;
|
||||||
StateDirectory = "pomerium";
|
StateDirectory = "pomerium";
|
||||||
|
|
||||||
PrivateUsers = !cfg.bindLowPort; # breaks CAP_NET_BIND_SERVICE
|
PrivateUsers = !cfg.bindLowPort; # breaks CAP_NET_BIND_SERVICE
|
||||||
|
MemoryDenyWriteExecute = false; # breaks LuaJIT
|
||||||
|
|
||||||
NoNewPrivileges = true;
|
NoNewPrivileges = true;
|
||||||
PrivateTmp = true;
|
PrivateTmp = true;
|
||||||
|
@ -56,8 +57,8 @@ with lib;
|
||||||
RestrictNamespaces = true;
|
RestrictNamespaces = true;
|
||||||
RestrictRealtime = true;
|
RestrictRealtime = true;
|
||||||
RestrictSUIDSGID = true;
|
RestrictSUIDSGID = true;
|
||||||
MemoryDenyWriteExecute = true;
|
|
||||||
LockPersonality = true;
|
LockPersonality = true;
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
|
||||||
EnvironmentFile = cfg.secretsFile;
|
EnvironmentFile = cfg.secretsFile;
|
||||||
AmbientCapabilities = lib.mkIf cfg.bindLowPort [ "CAP_NET_BIND_SERVICE" ];
|
AmbientCapabilities = lib.mkIf cfg.bindLowPort [ "CAP_NET_BIND_SERVICE" ];
|
||||||
|
|
Loading…
Reference in a new issue