Merge pull request #141408 from bbigras/openresty-lua

nixos/nginx: disable MemoryDenyWriteExecute for pkgs.openresty
2021-10-24 17:39:27 +00:00 · 2021-10-24 17:39:27 +00:00 · 69b01e3a22
commit 69b01e3a22
parent 5d517bc079 feb47656e4
5 changed files with 64 additions and 2 deletions
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@ -889,7 +889,7 @@ in
        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
        RestrictNamespaces = true;
        LockPersonality = true;
-        MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) cfg.package.modules);
+        MemoryDenyWriteExecute = !((builtins.any (mod: (mod.allowMemoryWriteExecute or false)) cfg.package.modules) || (cfg.package == pkgs.openresty));
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        RemoveIPC = true;
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -323,6 +323,7 @@ in
  ombi = handleTest ./ombi.nix {};
  openarena = handleTest ./openarena.nix {};
  openldap = handleTest ./openldap.nix {};
+  openresty-lua = handleTest ./openresty-lua.nix {};
  opensmtpd = handleTest ./opensmtpd.nix {};
  opensmtpd-rspamd = handleTest ./opensmtpd-rspamd.nix {};
  openssh = handleTest ./openssh.nix {};
--- a/nixos/tests/openresty-lua.nix
+++ b/nixos/tests/openresty-lua.nix
@ -0,0 +1,55 @@
+import ./make-test-python.nix ({ pkgs, lib, ... }:
+  let
+    lualibs = [
+      pkgs.lua.pkgs.markdown
+    ];
+
+    getPath = lib: type: "${lib}/share/lua/${pkgs.lua.luaversion}/?.${type}";
+    getLuaPath = lib: getPath lib "lua";
+    luaPath = lib.concatStringsSep ";" (map getLuaPath lualibs);
+  in
+  {
+    name = "openresty-lua";
+    meta = with pkgs.lib.maintainers; {
+      maintainers = [ bbigras ];
+    };
+
+    nodes = {
+      webserver = { pkgs, lib, ... }: {
+        services.nginx = {
+          enable = true;
+          package = pkgs.openresty;
+
+          commonHttpConfig = ''
+            lua_package_path '${luaPath};;';
+          '';
+
+          virtualHosts."default" = {
+            default = true;
+            locations."/" = {
+              extraConfig = ''
+                default_type text/html;
+                access_by_lua '
+                  local markdown = require "markdown"
+                  markdown("source")
+                ';
+              '';
+            };
+          };
+        };
+      };
+    };
+
+    testScript = { nodes, ... }:
+      ''
+        url = "http://localhost"
+
+        webserver.wait_for_unit("nginx")
+        webserver.wait_for_open_port(80)
+
+        http_code = webserver.succeed(
+          f"curl -w '%{{http_code}}' --head --fail {url}"
+        )
+        assert http_code.split("\n")[-1] == "200"
+      '';
+  })
--- a/pkgs/servers/http/nginx/generic.nix
+++ b/pkgs/servers/http/nginx/generic.nix
@ -21,6 +21,7 @@
 , preConfigure ? ""
 , postInstall ? null
 , meta ? null
+, passthru ? { tests = {}; }
 }:

 with lib;
@ -146,7 +147,7 @@ stdenv.mkDerivation {
      inherit (nixosTests) nginx nginx-auth nginx-etag nginx-pubhtml nginx-sandbox nginx-sso;
      variants = lib.recurseIntoAttrs nixosTests.nginx-variants;
      acme-integration = nixosTests.acme;
-    };
+    } // passthru.tests;
  };

  meta = if meta != null then meta else {
--- a/pkgs/servers/http/openresty/default.nix
+++ b/pkgs/servers/http/openresty/default.nix
@ -3,6 +3,7 @@
 , lib
 , fetchurl
 , postgresql
+, nixosTests
 , ...
 }@args:

@ -42,6 +43,10 @@ callPackage ../nginx/generic.nix args rec {
    ln -s $out/nginx/html $out/html
  '';

+  passthru.tests = {
+    inherit (nixosTests) openresty-lua;
+  };
+
  meta = {
    description = "A fast web application server built on Nginx";
    homepage = "https://openresty.org";