mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-01-22 14:45:27 +00:00
nixos/nebula: simply service user logic
This commit is contained in:
parent
e8eaea9627
commit
b52a8f67dd
|
@ -139,66 +139,66 @@ in
|
||||||
|
|
||||||
# Implementation
|
# Implementation
|
||||||
|
|
||||||
config =
|
config = mkIf cfg.enable {
|
||||||
let
|
services.nebula.settings = {
|
||||||
# The service needs to launch as root to access the tun device, if it's enabled.
|
pki = {
|
||||||
serviceUser = if cfg.tun.disable then "nebula" else "root";
|
ca = cfg.ca;
|
||||||
serviceGroup = if cfg.tun.disable then "nebula" else "root";
|
cert = cfg.cert;
|
||||||
in mkIf cfg.enable {
|
key = cfg.key;
|
||||||
services.nebula.settings = {
|
|
||||||
pki = {
|
|
||||||
ca = cfg.ca;
|
|
||||||
cert = cfg.cert;
|
|
||||||
key = cfg.key;
|
|
||||||
};
|
|
||||||
static_host_map = cfg.staticHostMap;
|
|
||||||
lighthouse = {
|
|
||||||
am_lighthouse = cfg.isLighthouse;
|
|
||||||
hosts = cfg.lighthouses;
|
|
||||||
};
|
|
||||||
listen = {
|
|
||||||
host = cfg.listen.host;
|
|
||||||
port = cfg.listen.port;
|
|
||||||
};
|
|
||||||
punchy = {
|
|
||||||
punch = cfg.punch;
|
|
||||||
};
|
|
||||||
tun = {
|
|
||||||
disabled = cfg.tun.disable;
|
|
||||||
dev = cfg.tun.device;
|
|
||||||
};
|
|
||||||
firewall = {
|
|
||||||
inbound = cfg.firewall.inbound;
|
|
||||||
outbound = cfg.firewall.outbound;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
static_host_map = cfg.staticHostMap;
|
||||||
|
lighthouse = {
|
||||||
|
am_lighthouse = cfg.isLighthouse;
|
||||||
|
hosts = cfg.lighthouses;
|
||||||
|
};
|
||||||
|
listen = {
|
||||||
|
host = cfg.listen.host;
|
||||||
|
port = cfg.listen.port;
|
||||||
|
};
|
||||||
|
punchy = {
|
||||||
|
punch = cfg.punch;
|
||||||
|
};
|
||||||
|
tun = {
|
||||||
|
disabled = cfg.tun.disable;
|
||||||
|
dev = cfg.tun.device;
|
||||||
|
};
|
||||||
|
firewall = {
|
||||||
|
inbound = cfg.firewall.inbound;
|
||||||
|
outbound = cfg.firewall.outbound;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
# Create systemd service for Nebula.
|
# Create systemd service for Nebula.
|
||||||
systemd.services.nebula = {
|
systemd.services.nebula = {
|
||||||
description = nebulaDesc;
|
description = nebulaDesc;
|
||||||
after = [ "network.target" ];
|
after = [ "network.target" ];
|
||||||
before = [ "sshd.service" ];
|
before = [ "sshd.service" ];
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
serviceConfig = {
|
serviceConfig = mkMerge [
|
||||||
|
{
|
||||||
Type = "simple";
|
Type = "simple";
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
User = serviceUser;
|
|
||||||
Group = serviceGroup;
|
|
||||||
ExecStart = "${cfg.package}/bin/nebula -config ${configFile}";
|
ExecStart = "${cfg.package}/bin/nebula -config ${configFile}";
|
||||||
};
|
}
|
||||||
};
|
# The service needs to launch as root to access the tun device, if it's enabled.
|
||||||
|
(mkIf cfg.tun.disable {
|
||||||
# Open the chosen port for UDP.
|
User = "nebula";
|
||||||
networking.firewall.allowedUDPPorts = [ cfg.listen.port ];
|
Group = "nebula";
|
||||||
|
})
|
||||||
# Create the service user and its group.
|
];
|
||||||
users.users."nebula" = {
|
|
||||||
name = "nebula";
|
|
||||||
group = "nebula";
|
|
||||||
description = "Nebula service user";
|
|
||||||
isSystemUser = true;
|
|
||||||
packages = [ cfg.package ];
|
|
||||||
};
|
|
||||||
users.groups."nebula" = {};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Open the chosen port for UDP.
|
||||||
|
networking.firewall.allowedUDPPorts = [ cfg.listen.port ];
|
||||||
|
|
||||||
|
# Create the service user and its group.
|
||||||
|
users.users."nebula" = {
|
||||||
|
name = "nebula";
|
||||||
|
group = "nebula";
|
||||||
|
description = "Nebula service user";
|
||||||
|
isSystemUser = true;
|
||||||
|
packages = [ cfg.package ];
|
||||||
|
};
|
||||||
|
users.groups."nebula" = {};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue