diff --git a/nixos/modules/services/networking/yggdrasil.nix b/nixos/modules/services/networking/yggdrasil.nix index 99c18ae6919e..8e88064a9071 100644 --- a/nixos/modules/services/networking/yggdrasil.nix +++ b/nixos/modules/services/networking/yggdrasil.nix @@ -60,13 +60,6 @@ in { ''; }; - group = mkOption { - type = types.str; - default = "root"; - example = "wheel"; - description = "Group to grant access to the Yggdrasil control socket."; - }; - openMulticastPort = mkOption { type = bool; default = false; @@ -154,27 +147,17 @@ in { ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; Restart = "always"; - Group = cfg.group; + User = "yggdrasil"; + DynamicUser = true; + StateDirectory = "yggdrasil"; RuntimeDirectory = "yggdrasil"; RuntimeDirectoryMode = "0750"; BindReadOnlyPaths = lib.optional configFileProvided cfg.configFile ++ lib.optional cfg.persistentKeys keysPath; + ReadWritePaths = "/run/yggdrasil"; - # TODO: as of yggdrasil 0.3.8 and systemd 243, yggdrasil fails - # to set up the network adapter when DynamicUser is set. See - # github.com/yggdrasil-network/yggdrasil-go/issues/557. The - # following options are implied by DynamicUser according to - # the systemd.exec documentation, and can be removed if the - # upstream issue is fixed and DynamicUser is set to true: - PrivateTmp = true; - RemoveIPC = true; - NoNewPrivileges = true; - ProtectSystem = "strict"; - RestrictSUIDSGID = true; - # End of list of options implied by DynamicUser. - - AmbientCapabilities = "CAP_NET_ADMIN"; - CapabilityBoundingSet = "CAP_NET_ADMIN"; + AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE"; + CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE"; MemoryDenyWriteExecute = true; ProtectControlGroups = true; ProtectHome = "tmpfs";