forked from mirrors/nixpkgs
yubikey-agent: fix systemd unit
I was getting problems with the unit failing to start due to NAMESPACE or CAPABILITIES permissions. Upstream now provides a systemd unit file in the repo, we should use that one, and that one works for me.
This commit is contained in:
Philip Potter
parent
e019872af8
commit
dfb0999f73
|
|
@ -2,13 +2,13 @@
|
|||
|
||||
buildGoModule rec {
|
||||
pname = "yubikey-agent";
|
||||
version = "0.1.3";
|
||||
version = "unstable-2021-02-18";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "FiloSottile";
|
||||
repo = pname;
|
||||
rev = "v${version}";
|
||||
sha256 = "07gix5wrakn4z846zhvl66lzwx58djrfnn6m8v7vc69l9jr3kihr";
|
||||
rev = "8cadc13d107757f8084d9d2b93ea64ff0c1748e8";
|
||||
sha256 = "1lklgq9qkqil5s0g56wbhs0vpr9c1bd4ir7bkrjwqj75ygxim8ml";
|
||||
};
|
||||
|
||||
buildInputs =
|
||||
|
|
@ -25,7 +25,7 @@ buildGoModule rec {
|
|||
substituteInPlace main.go --replace 'notify-send' ${libnotify}/bin/notify-send
|
||||
'';
|
||||
|
||||
vendorSha256 = "128mlsagj3im6h0p0ndhzk29ya47g19im9dldx3nmddf2jlccj2h";
|
||||
vendorSha256 = "1zx1w2is61471v4dlmr4wf714zqsc8sppik671p7s4fis5vccsca";
|
||||
|
||||
doCheck = false;
|
||||
|
||||
|
|
@ -42,7 +42,7 @@ buildGoModule rec {
|
|||
# See https://github.com/FiloSottile/yubikey-agent/pull/43
|
||||
+ lib.optionalString stdenv.isLinux ''
|
||||
mkdir -p $out/lib/systemd/user
|
||||
substitute ${./yubikey-agent.service} $out/lib/systemd/user/yubikey-agent.service \
|
||||
substitute contrib/systemd/user/yubikey-agent.service $out/lib/systemd/user/yubikey-agent.service \
|
||||
--replace 'ExecStart=yubikey-agent' "ExecStart=$out/bin/yubikey-agent"
|
||||
'';
|
||||
|
||||
|
|
|
|||
|
|
@ -1,35 +0,0 @@
|
|||
[Unit]
|
||||
Description=Seamless ssh-agent for YubiKeys
|
||||
Documentation=https://filippo.io/yubikey-agent
|
||||
|
||||
[Service]
|
||||
ExecStart=yubikey-agent -l %t/yubikey-agent/yubikey-agent.sock
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
ProtectSystem=strict
|
||||
ProtectKernelLogs=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectControlGroups=yes
|
||||
ProtectClock=yes
|
||||
ProtectHostname=yes
|
||||
PrivateTmp=yes
|
||||
PrivateDevices=yes
|
||||
PrivateUsers=yes
|
||||
IPAddressDeny=any
|
||||
RestrictAddressFamilies=AF_UNIX
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictSUIDSGID=yes
|
||||
LockPersonality=yes
|
||||
CapabilityBoundingSet=
|
||||
SystemCallFilter=@system-service
|
||||
SystemCallFilter=~@privileged @resources
|
||||
SystemCallErrorNumber=EPERM
|
||||
SystemCallArchitectures=native
|
||||
NoNewPrivileges=yes
|
||||
KeyringMode=private
|
||||
UMask=0177
|
||||
RuntimeDirectory=yubikey-agent
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target
|
||||
Loading…
Reference in a new issue