pyrox.dev / nixpkgs
lol
fork atom

fixup! nixos/redlib: use upstream systemd service file

Guanran Wang 4a0893c1 743d0ff9

options
unified split
Changed files
+20 -11
nixos
modules
services
misc
redlib.nix
+20 -11
nixos/modules/services/misc/redlib.nix 
···

       
93

       
93

       
 

       
    systemd.services.redlib = {


     

       
94

       
94

       
 

       
      wantedBy = [ "default.target" ];


     

       
95

       
95

       
 

       
      environment = mapAttrs (_: v: if isBool v then boolToString' v else toString v) cfg.settings;


     

       
96

       

       
-

       
      serviceConfig = {


     

       
97

       

       
-

       
        ExecStart = [


     

       
98

       

       
-

       
          ""


     

       
99

       

       
-

       
          "${lib.getExe cfg.package} ${args}"


     

       
100

       

       
-

       
        ];


     

       
101

       

       
-

       
        AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ];


     

       
102

       

       
-

       
        CapabilityBoundingSet = if (cfg.port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ];


     

       
103

       

       
-

       
        # A private user cannot have process capabilities on the host's user


     

       
104

       

       
-

       
        # namespace and thus CAP_NET_BIND_SERVICE has no effect.


     

       
105

       

       
-

       
        PrivateUsers = (cfg.port >= 1024);


     

       
106

       

       
-

       
      };


     

       

       
96

       
+

       
      serviceConfig =


     

       

       
97

       
+

       
        {


     

       

       
98

       
+

       
          ExecStart = [


     

       

       
99

       
+

       
            ""


     

       

       
100

       
+

       
            "${lib.getExe cfg.package} ${args}"


     

       

       
101

       
+

       
          ];


     

       

       
102

       
+

       
        }


     

       

       
103

       
+

       
        // (


     

       

       
104

       
+

       
          if (cfg.port < 1024) then


     

       

       
105

       
+

       
            {


     

       

       
106

       
+

       
              AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];


     

       

       
107

       
+

       
              CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];


     

       

       
108

       
+

       
            }


     

       

       
109

       
+

       
          else


     

       

       
110

       
+

       
            {


     

       

       
111

       
+

       
              # A private user cannot have process capabilities on the host's user


     

       

       
112

       
+

       
              # namespace and thus CAP_NET_BIND_SERVICE has no effect.


     

       

       
113

       
+

       
              PrivateUsers = true;


     

       

       
114

       
+

       
            }


     

       

       
115

       
+

       
        );


     

       
107

       
116

       
 

       
    };


     

       
108

       
117

       
 

       



     

       
109

       
118

       
 

       
    networking.firewall = mkIf cfg.openFirewall {