yggdrasil: reenable DynamicUser (080774e2) · Commits · nix / nixpkgs

nixos/modules/services/networking/yggdrasil.nix

+6 −23

Original line number	Diff line number	Diff line
		@@ -60,13 +60,6 @@ in {
		'';
		};

		group = mkOption {
		type = types.str;
		default = "root";
		example = "wheel";
		description = "Group to grant access to the Yggdrasil control socket.";
		};

		openMulticastPort = mkOption {
		type = bool;
		default = false;
		@@ -154,27 +147,17 @@ in {
		ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
		Restart = "always";

		Group = cfg.group;
		User = "yggdrasil";
		DynamicUser = true;
		StateDirectory = "yggdrasil";
		RuntimeDirectory = "yggdrasil";
		RuntimeDirectoryMode = "0750";
		BindReadOnlyPaths = lib.optional configFileProvided cfg.configFile
		++ lib.optional cfg.persistentKeys keysPath;
		ReadWritePaths = "/run/yggdrasil";

		# TODO: as of yggdrasil 0.3.8 and systemd 243, yggdrasil fails
		# to set up the network adapter when DynamicUser is set. See
		# github.com/yggdrasil-network/yggdrasil-go/issues/557. The
		# following options are implied by DynamicUser according to
		# the systemd.exec documentation, and can be removed if the
		# upstream issue is fixed and DynamicUser is set to true:
		PrivateTmp = true;
		RemoveIPC = true;
		NoNewPrivileges = true;
		ProtectSystem = "strict";
		RestrictSUIDSGID = true;
		# End of list of options implied by DynamicUser.

		AmbientCapabilities = "CAP_NET_ADMIN";
		CapabilityBoundingSet = "CAP_NET_ADMIN";
		AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
		CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
		MemoryDenyWriteExecute = true;
		ProtectControlGroups = true;
		ProtectHome = "tmpfs";