1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-01-22 14:45:27 +00:00

nixos/nebula: simply service user logic

This commit is contained in:
Aaron Andersen 2021-02-09 20:45:17 -05:00
parent e8eaea9627
commit b52a8f67dd

View file

@ -139,66 +139,66 @@ in
# Implementation # Implementation
config = config = mkIf cfg.enable {
let services.nebula.settings = {
# The service needs to launch as root to access the tun device, if it's enabled. pki = {
serviceUser = if cfg.tun.disable then "nebula" else "root"; ca = cfg.ca;
serviceGroup = if cfg.tun.disable then "nebula" else "root"; cert = cfg.cert;
in mkIf cfg.enable { key = cfg.key;
services.nebula.settings = {
pki = {
ca = cfg.ca;
cert = cfg.cert;
key = cfg.key;
};
static_host_map = cfg.staticHostMap;
lighthouse = {
am_lighthouse = cfg.isLighthouse;
hosts = cfg.lighthouses;
};
listen = {
host = cfg.listen.host;
port = cfg.listen.port;
};
punchy = {
punch = cfg.punch;
};
tun = {
disabled = cfg.tun.disable;
dev = cfg.tun.device;
};
firewall = {
inbound = cfg.firewall.inbound;
outbound = cfg.firewall.outbound;
};
}; };
static_host_map = cfg.staticHostMap;
lighthouse = {
am_lighthouse = cfg.isLighthouse;
hosts = cfg.lighthouses;
};
listen = {
host = cfg.listen.host;
port = cfg.listen.port;
};
punchy = {
punch = cfg.punch;
};
tun = {
disabled = cfg.tun.disable;
dev = cfg.tun.device;
};
firewall = {
inbound = cfg.firewall.inbound;
outbound = cfg.firewall.outbound;
};
};
# Create systemd service for Nebula. # Create systemd service for Nebula.
systemd.services.nebula = { systemd.services.nebula = {
description = nebulaDesc; description = nebulaDesc;
after = [ "network.target" ]; after = [ "network.target" ];
before = [ "sshd.service" ]; before = [ "sshd.service" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
serviceConfig = { serviceConfig = mkMerge [
{
Type = "simple"; Type = "simple";
Restart = "always"; Restart = "always";
User = serviceUser;
Group = serviceGroup;
ExecStart = "${cfg.package}/bin/nebula -config ${configFile}"; ExecStart = "${cfg.package}/bin/nebula -config ${configFile}";
}; }
}; # The service needs to launch as root to access the tun device, if it's enabled.
(mkIf cfg.tun.disable {
# Open the chosen port for UDP. User = "nebula";
networking.firewall.allowedUDPPorts = [ cfg.listen.port ]; Group = "nebula";
})
# Create the service user and its group. ];
users.users."nebula" = {
name = "nebula";
group = "nebula";
description = "Nebula service user";
isSystemUser = true;
packages = [ cfg.package ];
};
users.groups."nebula" = {};
}; };
# Open the chosen port for UDP.
networking.firewall.allowedUDPPorts = [ cfg.listen.port ];
# Create the service user and its group.
users.users."nebula" = {
name = "nebula";
group = "nebula";
description = "Nebula service user";
isSystemUser = true;
packages = [ cfg.package ];
};
users.groups."nebula" = {};
};
} }