3
0
Fork 0
forked from mirrors/nixpkgs

yggdrasil: add group option back and remove systemd User= directive

The group configuration parameter allow to share access to yggdrasil
control socket with the users in the system. In the version we propose,
it is null by default so that only root can access the control socket,
but let user create their own group if they need.

Remove User= durective in systemd unit. Should a user with the specified
name already exist in the system, it would be used silently instead of a
dynamic user which could be a security concern.
This commit is contained in:
oaksoaj 2022-07-02 18:20:27 +02:00 committed by ehmry
parent 080774e28f
commit fc9e22fca1

View file

@ -60,6 +60,13 @@ in {
'';
};
group = mkOption {
type = types.nullOr types.str;
default = null;
example = "wheel";
description = "Group to grant access to the Yggdrasil control socket. If <code>null</code>, only root can access the socket.";
};
openMulticastPort = mkOption {
type = bool;
default = false;
@ -147,7 +154,6 @@ in {
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Restart = "always";
User = "yggdrasil";
DynamicUser = true;
StateDirectory = "yggdrasil";
RuntimeDirectory = "yggdrasil";
@ -168,7 +174,9 @@ in {
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources";
};
} // (if (cfg.group != null) then {
Group = cfg.group;
} else {});
};
networking.dhcpcd.denyInterfaces = cfg.denyDhcpcdInterfaces;