nixos/tests/acme: use CAP_NET_BIND_SERVICE

2 files changed, 2 insertions, 4 deletions

diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix
index 032432287bd..693f02962f4 100644
--- a/nixos/tests/acme.nix
+++ b/nixos/tests/acme.nix
@@ -33,8 +33,7 @@ in import ./make-test-python.nix {
         serviceConfig = {
           ExecStart = "${pkgs.pebble}/bin/pebble-challtestsrv -dns01 ':53' -defaultIPv6 '' -defaultIPv4 '${nodes.webserver.config.networking.primaryIPAddress}'";
           # Required to bind on privileged ports.
-          User = "root";
-          Group = "root";
+          AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
         };
       };
     };
diff --git a/nixos/tests/common/acme/server/default.nix b/nixos/tests/common/acme/server/default.nix
index fdc053a2d82..1d6c2cc9d30 100644
--- a/nixos/tests/common/acme/server/default.nix
+++ b/nixos/tests/common/acme/server/default.nix
@@ -126,8 +126,7 @@ in {
         '';
         serviceConfig = {
           # Required to bind on privileged ports.
-          User = "root";
-          Group = "root";
+          AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
         };
       };
     };