pomerium: unbreak LuaJIT

This commit is contained in:
Luke Granger-Brown 2020-12-28 17:04:31 +00:00
parent d3f6442301
commit 8ed1d0665e

View file

@ -41,6 +41,7 @@ with lib;
StateDirectory = "pomerium";
PrivateUsers = !cfg.bindLowPort; # breaks CAP_NET_BIND_SERVICE
MemoryDenyWriteExecute = false; # breaks LuaJIT
NoNewPrivileges = true;
PrivateTmp = true;
@ -56,8 +57,8 @@ with lib;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
MemoryDenyWriteExecute = true;
LockPersonality = true;
SystemCallArchitectures = "native";
EnvironmentFile = cfg.secretsFile;
AmbientCapabilities = lib.mkIf cfg.bindLowPort [ "CAP_NET_BIND_SERVICE" ];