Commit fc9e22fc authored by oaksoaj's avatar oaksoaj Committed by ehmry
Browse files

yggdrasil: add group option back and remove systemd User= directive 

The group configuration parameter allow to share access to yggdrasil
control socket with the users in the system. In the version we propose,
it is null by default so that only root can access the control socket,
but let user create their own group if they need.

Remove User= durective in systemd unit. Should a user with the specified
name already exist in the system, it would be used silently instead of a
dynamic user which could be a security concern.
parent 080774e2

nixos/modules/services/networking/yggdrasil.nix

+10 −2
Original line number Diff line number Diff line
@@ -60,6 +60,13 @@ in { 
        '';

      };



      group = mkOption {

        type = types.nullOr types.str;

        default = null;

        example = "wheel";

        description = "Group to grant access to the Yggdrasil control socket. If <code>null</code>, only root can access the socket.";

      };



      openMulticastPort = mkOption {

        type = bool;

        default = false;
@@ -147,7 +154,6 @@ in { 
        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";

        Restart = "always";



        User = "yggdrasil";

        DynamicUser = true;

        StateDirectory = "yggdrasil";

        RuntimeDirectory = "yggdrasil";
@@ -168,7 +174,9 @@ in { 
        RestrictRealtime = true;

        SystemCallArchitectures = "native";

        SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources";

      };

      } // (if (cfg.group != null) then {

        Group = cfg.group;

      } else {});

    };



    networking.dhcpcd.denyInterfaces = cfg.denyDhcpcdInterfaces;