From 2f845dccbf525cbf79ac64629e9eb932f56dc86f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niklas=20Hamb=C3=BCchen?= <mail@nh2.me>
Date: Sun, 8 Nov 2020 16:58:58 +0100
Subject: [PATCH 1/2] manual: nginx: Mention ProtectHome in release notes. See
 #85567.

See https://github.com/NixOS/nixpkgs/pull/85567#pullrequestreview-525820684
---
 nixos/doc/manual/release-notes/rl-2009.xml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml
index 01f113198eb9..5845cc48c545 100644
--- a/nixos/doc/manual/release-notes/rl-2009.xml
+++ b/nixos/doc/manual/release-notes/rl-2009.xml
@@ -885,6 +885,17 @@ php.override {
 systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
        </programlisting>
      </para>
+     <para>
+       Nginx is also started with the systemd option <literal>ProtectHome = mkDefault true;</literal>
+       which forbids it to read anything from <literal>/home</literal>, <literal>/root</literal>
+       and <literal>/run/user</literal> (see
+       <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=">ProtectHome docs</link>
+       for details).
+       If you require serving files from home directories, you may choose to set e.g.
+<programlisting>
+systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
+</programlisting>
+     </para>
    </listitem>
    <listitem>
     <para>

From 2e7b320931a1bf2a8b7f1dd2f2ee4343a8dc0847 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niklas=20Hamb=C3=BCchen?= <mail@nh2.me>
Date: Sun, 8 Nov 2020 17:55:11 +0100
Subject: [PATCH 2/2] manual: nginx: Remove reference to `stateDir` from
 release notes. Fixes #102211.

Fixed wording taken from:
https://github.com/NixOS/nixpkgs/issues/102211#issuecomment-719976230
---
 nixos/doc/manual/release-notes/rl-2009.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml
index 5845cc48c545..75c8adbf45ed 100644
--- a/nixos/doc/manual/release-notes/rl-2009.xml
+++ b/nixos/doc/manual/release-notes/rl-2009.xml
@@ -879,7 +879,7 @@ php.override {
    <listitem>
      <para>
        Nginx web server now starting with additional sandbox/hardening options. By default, write access
-       to <literal>services.nginx.stateDir</literal> is allowed. To allow writing to other folders,
+       to <literal>/var/log/nginx</literal> and <literal>/var/cache/nginx</literal> is allowed. To allow writing to other folders,
        use <literal>systemd.services.nginx.serviceConfig.ReadWritePaths</literal>
        <programlisting>
 systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];