release notes: Explain how to run nginx master as root. Fixes #84391

(cherry picked from commit ba50a7a)
NixOS · Apr 11, 2020 · 0e79744 · 0e79744
1 parent 9099f30
commit 0e79744
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/nixos/doc/manual/release-notes/rl-2003.xml b/nixos/doc/manual/release-notes/rl-2003.xml
@@ -1059,14 +1059,22 @@ auth required pam_succeed_if.so uid >= 1000 quiet
    <listitem>
     <para>
      The nginx web server previously started its master process as root
-     privileged, then ran worker processes as a less privileged identity user.
+     privileged, then ran worker processes as a less privileged identity user
+     (the <literal>nginx</literal> user).
      This was changed to start all of nginx as a less privileged user (defined by
      <literal>services.nginx.user</literal> and
      <literal>services.nginx.group</literal>). As a consequence, all files that
      are needed for nginx to run (included configuration fragments, SSL
      certificates and keys, etc.) must now be readable by this less privileged
      user/group.
     </para>
+    <para>
+     To continue to use the old approach, you can configure:
+      <programlisting>
+services.nginx.appendConfig = let cfg = config.services.nginx; in ''user ${cfg.user} ${cfg.group};'';
+systemd.services.nginx.serviceConfig.User = lib.mkForce "root";
+      </programlisting>
+    </para>
    </listitem>
    <listitem>
     <para>