servo: nginx: dont follow symlinks in the /share directory

hosts/by-name/servo/services/nginx.nix

@@ -54,6 +54,9 @@ in
   services.nginx.recommendedOptimisation = true;
 
   # web blog/personal site
+  # alternative way to link stuff into the share:
+  # sane.fs."/var/lib/uninsane/root/share/Ubunchu".mount.bind = "/var/lib/uninsane/media/Books/Visual/HiroshiSeo/Ubunchu";
+  # sane.fs."/var/lib/uninsane/media/Books/Visual/HiroshiSeo/Ubunchu".dir = {};
   services.nginx.virtualHosts."uninsane.org" = publog {
     root = "${pkgs.uninsane-dot-org}/share/uninsane-dot-org";
     # a lot of places hardcode https://uninsane.org,
@@ -72,6 +75,9 @@ in
       extraConfig = ''
         # autoindex => render directory listings
         autoindex on;
+        # don't follow any symlinks when serving files
+        # otherwise it allows a directory escape
+        disable_symlinks on;
       '';
     };