From 320ad2e3a8fe4d8823abe628573bc209b7305899 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Mon, 26 Sep 2022 15:37:43 -0400
Subject: [PATCH] replace tmpfiles.d with RuntimeDirectory for nginx

This is much more robust because nginx will fail to start after being
killed or crashing due to only removing old Unix domain sockets when it
stops cleanly. It ends up owned by root:root instead of root:http which
is fine because only the master process opens it.
---
 systemd/system/nginx.service.d/local.conf | 2 ++
 tmpfiles.d/local-nginx.conf               | 1 -
 2 files changed, 2 insertions(+), 1 deletion(-)
 delete mode 100644 tmpfiles.d/local-nginx.conf

diff --git a/systemd/system/nginx.service.d/local.conf b/systemd/system/nginx.service.d/local.conf
index 3106706..0c662c1 100644
--- a/systemd/system/nginx.service.d/local.conf
+++ b/systemd/system/nginx.service.d/local.conf
@@ -21,6 +21,8 @@ RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
 RestrictNamespaces=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
+RuntimeDirectory=nginx
+RuntimeDirectoryMode=700
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
 SystemCallFilter=~@obsolete
diff --git a/tmpfiles.d/local-nginx.conf b/tmpfiles.d/local-nginx.conf
deleted file mode 100644
index ea2e6e0..0000000
--- a/tmpfiles.d/local-nginx.conf
+++ /dev/null
@@ -1 +0,0 @@
-d /run/nginx 0750 root http -