forked from mirrors/nixpkgs
yggdrasil: add group option back and remove systemd User= directive
The group configuration parameter allow to share access to yggdrasil control socket with the users in the system. In the version we propose, it is null by default so that only root can access the control socket, but let user create their own group if they need. Remove User= durective in systemd unit. Should a user with the specified name already exist in the system, it would be used silently instead of a dynamic user which could be a security concern.
This commit is contained in:
parent
080774e28f
commit
fc9e22fca1
|
@ -60,6 +60,13 @@ in {
|
|||
'';
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "wheel";
|
||||
description = "Group to grant access to the Yggdrasil control socket. If <code>null</code>, only root can access the socket.";
|
||||
};
|
||||
|
||||
openMulticastPort = mkOption {
|
||||
type = bool;
|
||||
default = false;
|
||||
|
@ -147,7 +154,6 @@ in {
|
|||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||||
Restart = "always";
|
||||
|
||||
User = "yggdrasil";
|
||||
DynamicUser = true;
|
||||
StateDirectory = "yggdrasil";
|
||||
RuntimeDirectory = "yggdrasil";
|
||||
|
@ -168,7 +174,9 @@ in {
|
|||
RestrictRealtime = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources";
|
||||
};
|
||||
} // (if (cfg.group != null) then {
|
||||
Group = cfg.group;
|
||||
} else {});
|
||||
};
|
||||
|
||||
networking.dhcpcd.denyInterfaces = cfg.denyDhcpcdInterfaces;
|
||||
|
|
Loading…
Reference in a new issue