diff options
author | Aaron Andersen <aaron@fosslib.net> | 2021-02-09 20:45:17 -0500 |
---|---|---|
committer | Aaron Andersen <aaron@fosslib.net> | 2021-02-09 20:45:17 -0500 |
commit | b52a8f67dd0256fb3352121db544328dee84143c (patch) | |
tree | dcdf4c743a7eb6ffa3a99eed717f490a0f29f604 /nixos/modules/services/networking/nebula.nix | |
parent | e8eaea9627ce92ae35b0696154f68e00cd14fa7a (diff) | |
download | nixpkgs-b52a8f67dd0256fb3352121db544328dee84143c.tar nixpkgs-b52a8f67dd0256fb3352121db544328dee84143c.tar.gz nixpkgs-b52a8f67dd0256fb3352121db544328dee84143c.tar.bz2 nixpkgs-b52a8f67dd0256fb3352121db544328dee84143c.tar.lz nixpkgs-b52a8f67dd0256fb3352121db544328dee84143c.tar.xz nixpkgs-b52a8f67dd0256fb3352121db544328dee84143c.tar.zst nixpkgs-b52a8f67dd0256fb3352121db544328dee84143c.zip |
nixos/nebula: simply service user logic
Diffstat (limited to 'nixos/modules/services/networking/nebula.nix')
-rw-r--r-- | nixos/modules/services/networking/nebula.nix | 114 |
1 files changed, 57 insertions, 57 deletions
diff --git a/nixos/modules/services/networking/nebula.nix b/nixos/modules/services/networking/nebula.nix index 888f9f96fbe..28504cded44 100644 --- a/nixos/modules/services/networking/nebula.nix +++ b/nixos/modules/services/networking/nebula.nix @@ -139,66 +139,66 @@ in # Implementation - config = - let - # The service needs to launch as root to access the tun device, if it's enabled. - serviceUser = if cfg.tun.disable then "nebula" else "root"; - serviceGroup = if cfg.tun.disable then "nebula" else "root"; - in mkIf cfg.enable { - services.nebula.settings = { - pki = { - ca = cfg.ca; - cert = cfg.cert; - key = cfg.key; - }; - static_host_map = cfg.staticHostMap; - lighthouse = { - am_lighthouse = cfg.isLighthouse; - hosts = cfg.lighthouses; - }; - listen = { - host = cfg.listen.host; - port = cfg.listen.port; - }; - punchy = { - punch = cfg.punch; - }; - tun = { - disabled = cfg.tun.disable; - dev = cfg.tun.device; - }; - firewall = { - inbound = cfg.firewall.inbound; - outbound = cfg.firewall.outbound; - }; + config = mkIf cfg.enable { + services.nebula.settings = { + pki = { + ca = cfg.ca; + cert = cfg.cert; + key = cfg.key; }; + static_host_map = cfg.staticHostMap; + lighthouse = { + am_lighthouse = cfg.isLighthouse; + hosts = cfg.lighthouses; + }; + listen = { + host = cfg.listen.host; + port = cfg.listen.port; + }; + punchy = { + punch = cfg.punch; + }; + tun = { + disabled = cfg.tun.disable; + dev = cfg.tun.device; + }; + firewall = { + inbound = cfg.firewall.inbound; + outbound = cfg.firewall.outbound; + }; + }; - # Create systemd service for Nebula. - systemd.services.nebula = { - description = nebulaDesc; - after = [ "network.target" ]; - before = [ "sshd.service" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { + # Create systemd service for Nebula. + systemd.services.nebula = { + description = nebulaDesc; + after = [ "network.target" ]; + before = [ "sshd.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = mkMerge [ + { Type = "simple"; Restart = "always"; - User = serviceUser; - Group = serviceGroup; ExecStart = "${cfg.package}/bin/nebula -config ${configFile}"; - }; - }; - - # Open the chosen port for UDP. - networking.firewall.allowedUDPPorts = [ cfg.listen.port ]; - - # Create the service user and its group. - users.users."nebula" = { - name = "nebula"; - group = "nebula"; - description = "Nebula service user"; - isSystemUser = true; - packages = [ cfg.package ]; - }; - users.groups."nebula" = {}; - }; + } + # The service needs to launch as root to access the tun device, if it's enabled. + (mkIf cfg.tun.disable { + User = "nebula"; + Group = "nebula"; + }) + ]; + }; + + # Open the chosen port for UDP. + networking.firewall.allowedUDPPorts = [ cfg.listen.port ]; + + # Create the service user and its group. + users.users."nebula" = { + name = "nebula"; + group = "nebula"; + description = "Nebula service user"; + isSystemUser = true; + packages = [ cfg.package ]; + }; + users.groups."nebula" = {}; + }; } |