diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix
index 832c8b30ee9d..1094ed93e68c 100644
--- a/nixos/modules/services/web-servers/apache-httpd/default.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/default.nix
@@ -453,7 +453,13 @@ in
type = types.str;
default = "wwwrun";
description = ''
- User account under which httpd runs.
+ User account under which httpd children processes run.
+
+ If you require the main httpd process to run as
+ root add the following configuration:
+
+ systemd.services.httpd.serviceConfig.User = lib.mkForce "root";
+
'';
};
@@ -461,7 +467,7 @@ in
type = types.str;
default = "wwwrun";
description = ''
- Group under which httpd runs.
+ Group under which httpd children processes run.
'';
};
@@ -724,7 +730,7 @@ in
ExecStart = "@${pkg}/bin/httpd httpd -f ${httpdConf}";
ExecStop = "${pkg}/bin/httpd -f ${httpdConf} -k graceful-stop";
ExecReload = "${pkg}/bin/httpd -f ${httpdConf} -k graceful";
- User = "root";
+ User = cfg.user;
Group = cfg.group;
Type = "forking";
PIDFile = "${runtimeDir}/httpd.pid";
@@ -732,6 +738,7 @@ in
RestartSec = "5s";
RuntimeDirectory = "httpd httpd/runtime";
RuntimeDirectoryMode = "0750";
+ AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
};
};