Loading nixos/modules/services/networking/netbird.nix +33 −8 Original line number Diff line number Diff line Loading @@ -543,14 +543,7 @@ in after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; path = optionals (!config.services.resolved.enable) [ pkgs.openresolv ] # useful for `netbird debug` system info gathering ++ optionals config.networking.nftables.enable [ pkgs.nftables ] ++ optionals (!config.networking.nftables.enable) [ pkgs.iptables pkgs.ipset ]; path = optionals (!config.services.resolved.enable) [ pkgs.openresolv ]; serviceConfig = { ExecStart = "${getExe client.wrapper} service run"; Loading @@ -574,6 +567,38 @@ in } ); } # netbird debug bundle related configurations { systemd.services = toClientAttrs ( client: nameValuePair client.service.name { /* lets NetBird daemon know which systemd service to gather logs for see https://github.com/netbirdio/netbird/blob/2c87fa623654c5eef76bc0226062290201eef13a/client/internal/debug/debug_linux.go#L50-L51 */ environment.SYSTEMD_UNIT = client.service.name; path = optionals config.networking.nftables.enable [ pkgs.nftables ] ++ optionals (!config.networking.nftables.enable) [ pkgs.iptables pkgs.ipset ]; } ); users.users = toHardenedClientAttrs ( client: nameValuePair client.user.name { extraGroups = [ /* allows debug bundles to gather systemd logs for `netbird*.service` this is not ideal for hardening as it grants access to the whole journal, not just own logs */ "systemd-journal" ]; } ); } # Hardening section (mkIf (hardenedClients != { }) { users.groups = toHardenedClientAttrs (client: nameValuePair client.user.group { }); Loading Loading
nixos/modules/services/networking/netbird.nix +33 −8 Original line number Diff line number Diff line Loading @@ -543,14 +543,7 @@ in after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; path = optionals (!config.services.resolved.enable) [ pkgs.openresolv ] # useful for `netbird debug` system info gathering ++ optionals config.networking.nftables.enable [ pkgs.nftables ] ++ optionals (!config.networking.nftables.enable) [ pkgs.iptables pkgs.ipset ]; path = optionals (!config.services.resolved.enable) [ pkgs.openresolv ]; serviceConfig = { ExecStart = "${getExe client.wrapper} service run"; Loading @@ -574,6 +567,38 @@ in } ); } # netbird debug bundle related configurations { systemd.services = toClientAttrs ( client: nameValuePair client.service.name { /* lets NetBird daemon know which systemd service to gather logs for see https://github.com/netbirdio/netbird/blob/2c87fa623654c5eef76bc0226062290201eef13a/client/internal/debug/debug_linux.go#L50-L51 */ environment.SYSTEMD_UNIT = client.service.name; path = optionals config.networking.nftables.enable [ pkgs.nftables ] ++ optionals (!config.networking.nftables.enable) [ pkgs.iptables pkgs.ipset ]; } ); users.users = toHardenedClientAttrs ( client: nameValuePair client.user.name { extraGroups = [ /* allows debug bundles to gather systemd logs for `netbird*.service` this is not ideal for hardening as it grants access to the whole journal, not just own logs */ "systemd-journal" ]; } ); } # Hardening section (mkIf (hardenedClients != { }) { users.groups = toHardenedClientAttrs (client: nameValuePair client.user.group { }); Loading
