nixos/netbird: moved login hardening to the hardening section (#486924) (551af99f) · Commits · nix / nixpkgs

nixos/modules/services/networking/netbird.nix

+60 −48

Original line number	Diff line number	Diff line
		@@ -660,7 +660,9 @@ in
		}
		);

		systemd.services = toHardenedClientAttrs (
		systemd.services = mkMerge [
		# netbird services
		(toHardenedClientAttrs (
		client:
		nameValuePair client.service.name (
		mkIf client.hardened {
		@@ -699,7 +701,25 @@ in
		};
		}
		)
		);
		))
		# netbird-login services
		(toHardenedClientAttrs (
		client:
		nameValuePair "${client.service.name}-login" (
		mkIf client.hardened {
		serviceConfig = {
		User = client.user.name;
		Group = client.user.group;

		RemoveIPC = true;
		PrivateTmp = "disconnected"; # "disconnected" puts /tmp on `tmpfs`
		ProtectSystem = "strict";
		ProtectHome = "yes";
		};
		}
		)
		))
		];

		# see https://github.com/systemd/systemd/blob/17f3e91e8107b2b29fe25755651b230bbc81a514/src/resolve/org.freedesktop.resolve1.policy#L43-L43
		# see all actions used at https://github.com/netbirdio/netbird/blob/13e7198046a0d73a9cd91bf8e063fafb3d41885c/client/internal/dns/systemd_linux.go#L29-L32
		@@ -736,14 +756,6 @@ in
		Type = "oneshot";
		RemainAfterExit = true;

		User = client.user.name;
		Group = client.user.group;

		RemoveIPC = true;
		PrivateTmp = "disconnected"; # "disconnected" puts /tmp on `tmpfs`
		ProtectSystem = "strict";
		ProtectHome = "yes";

		LoadCredential = [ "setup-key:${client.login.setupKeyFile}" ];
		};