nginxModules: add option allowMemoryWriteExecute

The allowMemoryWriteExecute option is required to checking enabled nginxModules
and disable the nginx sandbox mode MemoryDenyWriteExecute.

nixos/modules/services/web-servers/nginx/default.nix

@@ -724,7 +724,7 @@ in
         ProtectControlGroups = true;
         RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
         LockPersonality = true;
-        MemoryDenyWriteExecute = mkDefault true;
+        MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) pkgs.nginx.modules);
         RestrictRealtime = true;
         RestrictSUIDSGID = true;
         PrivateMounts = true;

pkgs/servers/http/nginx/modules.nix

@@ -140,6 +140,7 @@ in
       export LUAJIT_LIB="${pkgs.luajit}/lib"
       export LUAJIT_INC="${pkgs.luajit}/include/luajit-2.0"
     '';
+    allowMemoryWriteExecute = true;
   };
 
   lua-upstream = {
@@ -150,6 +151,7 @@ in
       sha256 = "1gqccg8airli3i9103zv1zfwbjm27h235qjabfbfqk503rjamkpk";
     };
     inputs = [ pkgs.luajit ];
+    allowMemoryWriteExecute = true;
   };
 
   modsecurity = {
@@ -246,6 +248,7 @@ in
     in {
       src = ngx_pagespeed;
       inputs = [ pkgs.zlib pkgs.libuuid ]; # psol deps
+      allowMemoryWriteExecute = true;
     };
 
   pam = {