From 2ceae2db61f6b60e56c3ee54ba38ff43f10574a6 Mon Sep 17 00:00:00 2001
From: Bruno Bigras <bigras.bruno@gmail.com>
Date: Tue, 12 Oct 2021 16:26:39 -0400
Subject: [PATCH] nixos/nginx: disable MemoryDenyWriteExecute for
 pkgs.openresty

fix #140655

Co-authored-by: Yurii Izorkin <izorkin@elven.pw>
---
 nixos/modules/services/web-servers/nginx/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
index d5486be65ee7..be589e42ddd6 100644
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@@ -889,7 +889,7 @@ in
         RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
         RestrictNamespaces = true;
         LockPersonality = true;
-        MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) cfg.package.modules);
+        MemoryDenyWriteExecute = !((builtins.any (mod: (mod.allowMemoryWriteExecute or false)) cfg.package.modules) || (cfg.package == pkgs.openresty));
         RestrictRealtime = true;
         RestrictSUIDSGID = true;
         RemoveIPC = true;