diff options
author | Robin Gloster <mail@glob.in> | 2016-02-10 18:15:39 +0100 |
---|---|---|
committer | Robin Gloster <mail@glob.in> | 2016-02-10 18:15:39 +0100 |
commit | c341a01281bad9c47ea1aa7bf67672de25d4d3d9 (patch) | |
tree | 44854b73d8bbce5db8778e8049dddd7c496c7859 /nixos | |
parent | e47d323a10d71581fe3d72a12f0848d36b083a34 (diff) | |
parent | 5c19830b77c00f87fa67121dadeb16096a6d18e2 (diff) | |
download | nixpkgs-c341a01281bad9c47ea1aa7bf67672de25d4d3d9.tar nixpkgs-c341a01281bad9c47ea1aa7bf67672de25d4d3d9.tar.gz nixpkgs-c341a01281bad9c47ea1aa7bf67672de25d4d3d9.tar.bz2 nixpkgs-c341a01281bad9c47ea1aa7bf67672de25d4d3d9.tar.lz nixpkgs-c341a01281bad9c47ea1aa7bf67672de25d4d3d9.tar.xz nixpkgs-c341a01281bad9c47ea1aa7bf67672de25d4d3d9.tar.zst nixpkgs-c341a01281bad9c47ea1aa7bf67672de25d4d3d9.zip |
Merge pull request #12913 from tg-x/tinc-chroot
tinc: enable chroot
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/networking/tinc.nix | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/tinc.nix b/nixos/modules/services/networking/tinc.nix index 34f4f6b37b6..9330e6c92ba 100644 --- a/nixos/modules/services/networking/tinc.nix +++ b/nixos/modules/services/networking/tinc.nix @@ -95,6 +95,16 @@ in ''; }; + chroot = mkOption { + default = true; + type = types.bool; + description = '' + Change process root directory to the directory where the config file is located (/etc/tinc/netname/), for added security. + The chroot is performed after all the initialization is done, after writing pid files and opening network sockets. + + Note that tinc can't run scripts anymore (such as tinc-down or host-up), unless it is setup to be runnable inside chroot environment. + ''; + }; }; }; }; @@ -166,7 +176,7 @@ in fi ''; script = '' - tincd -D -U tinc.${network} -n ${network} --pidfile /run/tinc.${network}.pid -d ${toString data.debugLevel} + tincd -D -U tinc.${network} -n ${network} ${optionalString (data.chroot) "-R"} --pidfile /run/tinc.${network}.pid -d ${toString data.debugLevel} ''; }) ); |