diff options
author | Gemini Lasswell <gazally@runbox.com> | 2019-09-22 08:08:42 -0700 |
---|---|---|
committer | Emery Hemingway <ehmry@posteo.net> | 2019-10-26 13:51:31 +0200 |
commit | d6549a2c42e7e0b134f44fc387722765eaae88c2 (patch) | |
tree | 1c4957d0e723e96ec08b634d983282fda7b61375 /nixos/modules/services/networking/yggdrasil.nix | |
parent | b8cb8c39d6aa8a8e9ec9a95f95dd480478b60f4a (diff) | |
download | nixpkgs-d6549a2c42e7e0b134f44fc387722765eaae88c2.tar nixpkgs-d6549a2c42e7e0b134f44fc387722765eaae88c2.tar.gz nixpkgs-d6549a2c42e7e0b134f44fc387722765eaae88c2.tar.bz2 nixpkgs-d6549a2c42e7e0b134f44fc387722765eaae88c2.tar.lz nixpkgs-d6549a2c42e7e0b134f44fc387722765eaae88c2.tar.xz nixpkgs-d6549a2c42e7e0b134f44fc387722765eaae88c2.tar.zst nixpkgs-d6549a2c42e7e0b134f44fc387722765eaae88c2.zip |
nixos/yggdrasil: remove DynamicUser for systemd 243
Diffstat (limited to 'nixos/modules/services/networking/yggdrasil.nix')
-rw-r--r-- | nixos/modules/services/networking/yggdrasil.nix | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/yggdrasil.nix b/nixos/modules/services/networking/yggdrasil.nix index e11f21e60fc..0da50ccc344 100644 --- a/nixos/modules/services/networking/yggdrasil.nix +++ b/nixos/modules/services/networking/yggdrasil.nix @@ -155,7 +155,19 @@ in { BindReadOnlyPaths = mkIf configFileProvided [ "${cfg.configFile}:/run/yggdrasil/configFile.json" ]; - DynamicUser = true; + # TODO: as of yggdrasil 0.3.8 and systemd 243, yggdrasil fails + # to set up the network adapter when DynamicUser is set. See + # github.com/yggdrasil-network/yggdrasil-go/issues/557. The + # following options are implied by DynamicUser according to + # the systemd.exec documentation, and can be removed if the + # upstream issue is fixed and DynamicUser is set to true: + PrivateTmp = true; + RemoveIPC = true; + NoNewPrivileges = true; + ProtectSystem = "strict"; + RestrictSUIDSGID = true; + # End of list of options implied by DynamicUser. + AmbientCapabilities = "CAP_NET_ADMIN"; CapabilityBoundingSet = "CAP_NET_ADMIN"; MemoryDenyWriteExecute = true; |