From 8a14911502d2c10042676bd153c08a8fb718e7ee Mon Sep 17 00:00:00 2001
From: root <root@rbx1.julio.al>
Date: Sun, 26 Apr 2026 05:26:09 +0000
Subject: [PATCH] Ubuntu 26.04 Release

---
 .gitea/workflows/build-publish.yml |  9 -------
 static/Raccoon/nginx.service       | 40 ------------------------------
 static/Trixie/nginx.service        | 40 ------------------------------
 static/nginx/nginx.conf            |  7 ------
 4 files changed, 96 deletions(-)

diff --git a/.gitea/workflows/build-publish.yml b/.gitea/workflows/build-publish.yml
index 6204086..a344b3a 100644
--- a/.gitea/workflows/build-publish.yml
+++ b/.gitea/workflows/build-publish.yml
@@ -72,21 +72,12 @@ jobs:
           cp -R /hostdata/default "${PKG_DIR}/hostdata/" || true
           cp -R /usr/nginx_lua "${PKG_DIR}/usr/" || true
 
-          # Preserve compile-time rpath paths so the dynamic loader resolves
-          # AWS-LC, LuaJIT, libinjection, and libmodsecurity correctly on the
-          # target host. Flattening these into /usr/lib (the old behaviour)
-          # made the loader fall back to the host's system libssl/libcrypto
-          # which have a different ABI from AWS-LC -> "undefined symbol"
-          # crashes at runtime.
           for d in /usr/local/aws-lc /usr/local/LuaJIT /usr/local/modsecurity; do
             [ -d "$d" ] && cp -R "$d" "${PKG_DIR}/usr/local/" || true
           done
           mkdir -p "${PKG_DIR}/usr/local/lib"
           cp -R /usr/local/lib/. "${PKG_DIR}/usr/local/lib/" 2>/dev/null || true
 
-          # Other libs nginx links against (system glibc deps, libpcre2, etc.)
-          # go to /usr/lib. Skip anything under /usr/local — it's already
-          # shipped at its original path above.
           for lib in $(ldd /usr/sbin/nginx | grep '=> /' | awk '{print $3}'); do
             case "$lib" in
               /usr/local/*) continue ;;
diff --git a/static/Raccoon/nginx.service b/static/Raccoon/nginx.service
index bd24fe1..8b77a15 100644
--- a/static/Raccoon/nginx.service
+++ b/static/Raccoon/nginx.service
@@ -6,52 +6,12 @@ Wants=network-online.target
 [Service]
 Type=forking
 PIDFile=/run/nginx.pid
-
-# jemalloc replaces glibc malloc — better fragmentation/perf under nginx's
-# alloc/free churn at scale. Package depends on libjemalloc2 so the .so is
-# guaranteed present. Removing this line falls back to glibc malloc cleanly.
 Environment=LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2
-
-# Self-heal: nginx was compiled without --http-*-temp-path so it expects
-# these dirs under /usr/local/nginx; install -d is idempotent and fixes any
-# missing/wrong ownership on every restart.
 ExecStartPre=/usr/bin/install -d -o nginx -g nginx -m 0755 /usr/local/nginx /usr/local/nginx/client_body_temp /usr/local/nginx/proxy_temp /usr/local/nginx/fastcgi_temp /usr/local/nginx/uwsgi_temp /usr/local/nginx/scgi_temp /var/log/nginx
 ExecStartPre=/usr/sbin/nginx -t
 ExecStart=/usr/sbin/nginx
 ExecReload=/usr/sbin/nginx -s reload
 ExecStop=/bin/kill -s QUIT $MAINPID
-
-# ---- systemd hardening (systemd 257+ on Debian 13 / Ubuntu 26.04) ----
-# Each line shrinks the worker's blast radius without affecting throughput.
-NoNewPrivileges=true
-ProtectSystem=strict
-ProtectHome=true
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectKernelLogs=true
-ProtectControlGroups=true
-ProtectClock=true
-ProtectHostname=true
-PrivateDevices=true
-PrivateTmp=true
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
-RestrictNamespaces=true
-RestrictRealtime=true
-RestrictSUIDSGID=true
-LockPersonality=true
-SystemCallArchitectures=native
-SystemCallFilter=@system-service
-SystemCallFilter=~@privileged @mount @debug @cpu-emulation @obsolete @raw-io @reboot @swap
-SystemCallErrorNumber=EPERM
-
-# Paths nginx legitimately writes to. ProtectSystem=strict makes everything
-# else read-only; these carve out the exceptions.
-ReadWritePaths=/var/log/nginx /usr/local/nginx /run /nginx /hostdata
-
-# NOTE on MemoryDenyWriteExecute: LuaJIT does runtime JIT compilation and
-# therefore needs writable+executable pages — enabling MDWE breaks Lua. Left
-# off intentionally.
-
 LimitNOFILE=65535
 
 [Install]
diff --git a/static/Trixie/nginx.service b/static/Trixie/nginx.service
index bd24fe1..8b77a15 100644
--- a/static/Trixie/nginx.service
+++ b/static/Trixie/nginx.service
@@ -6,52 +6,12 @@ Wants=network-online.target
 [Service]
 Type=forking
 PIDFile=/run/nginx.pid
-
-# jemalloc replaces glibc malloc — better fragmentation/perf under nginx's
-# alloc/free churn at scale. Package depends on libjemalloc2 so the .so is
-# guaranteed present. Removing this line falls back to glibc malloc cleanly.
 Environment=LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2
-
-# Self-heal: nginx was compiled without --http-*-temp-path so it expects
-# these dirs under /usr/local/nginx; install -d is idempotent and fixes any
-# missing/wrong ownership on every restart.
 ExecStartPre=/usr/bin/install -d -o nginx -g nginx -m 0755 /usr/local/nginx /usr/local/nginx/client_body_temp /usr/local/nginx/proxy_temp /usr/local/nginx/fastcgi_temp /usr/local/nginx/uwsgi_temp /usr/local/nginx/scgi_temp /var/log/nginx
 ExecStartPre=/usr/sbin/nginx -t
 ExecStart=/usr/sbin/nginx
 ExecReload=/usr/sbin/nginx -s reload
 ExecStop=/bin/kill -s QUIT $MAINPID
-
-# ---- systemd hardening (systemd 257+ on Debian 13 / Ubuntu 26.04) ----
-# Each line shrinks the worker's blast radius without affecting throughput.
-NoNewPrivileges=true
-ProtectSystem=strict
-ProtectHome=true
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectKernelLogs=true
-ProtectControlGroups=true
-ProtectClock=true
-ProtectHostname=true
-PrivateDevices=true
-PrivateTmp=true
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
-RestrictNamespaces=true
-RestrictRealtime=true
-RestrictSUIDSGID=true
-LockPersonality=true
-SystemCallArchitectures=native
-SystemCallFilter=@system-service
-SystemCallFilter=~@privileged @mount @debug @cpu-emulation @obsolete @raw-io @reboot @swap
-SystemCallErrorNumber=EPERM
-
-# Paths nginx legitimately writes to. ProtectSystem=strict makes everything
-# else read-only; these carve out the exceptions.
-ReadWritePaths=/var/log/nginx /usr/local/nginx /run /nginx /hostdata
-
-# NOTE on MemoryDenyWriteExecute: LuaJIT does runtime JIT compilation and
-# therefore needs writable+executable pages — enabling MDWE breaks Lua. Left
-# off intentionally.
-
 LimitNOFILE=65535
 
 [Install]
diff --git a/static/nginx/nginx.conf b/static/nginx/nginx.conf
index 58b63c5..7302e21 100644
--- a/static/nginx/nginx.conf
+++ b/static/nginx/nginx.conf
@@ -1,10 +1,3 @@
-# Suggestions? => https://github.com/theraw/The-World-Is-Yours/issues
-# Problems?    => https://github.com/theraw/The-World-Is-Yours/issues
-#
-# Tuned for shared hosting at 5,000+ vhost scale.
-# Per-vhost listen/ssl_certificate directives live in /nginx/live/* — this
-# file only contains the global event/http settings.
-
 user nginx;
 pid /var/run/nginx.pid;
 worker_processes auto;