commit 604a820cfd5232622017bf6033ac946a9ec7fce7 · pyrox.dev/nixpkgs

+33 -8

nixos/modules/services/networking/netbird.nix

···

       543
        
                 after = [ "network.target" ];

     

       544
        
                 wantedBy = [ "multi-user.target" ];

     

       545
        
       

     

       546
       -
                 path =

     

       547
       -
                   optionals (!config.services.resolved.enable) [ pkgs.openresolv ]

     

       548
       -
                   # useful for `netbird debug` system info gathering

     

       549
       -
                   ++ optionals config.networking.nftables.enable [ pkgs.nftables ]

     

       550
       -
                   ++ optionals (!config.networking.nftables.enable) [

     

       551
       -
                     pkgs.iptables

     

       552
       -
                     pkgs.ipset

     

       553
       -
                   ];

     

       554
        
       

     

       555
        
                 serviceConfig = {

     

       556
        
                   ExecStart = "${getExe client.wrapper} service run";

     
···

       571
        
                 };

     

       572
        
       

     

       573
        
                 stopIfChanged = false;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       574
        
               }

     

       575
        
             );

     

       576
        
           }

···

       543
        
                 after = [ "network.target" ];

     

       544
        
                 wantedBy = [ "multi-user.target" ];

     

       545
        
       

     

       546
       +
                 path = optionals (!config.services.resolved.enable) [ pkgs.openresolv ];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       547
        
       

     

       548
        
                 serviceConfig = {

     

       549
        
                   ExecStart = "${getExe client.wrapper} service run";

     
···

       564
        
                 };

     

       565
        
       

     

       566
        
                 stopIfChanged = false;

     

       567
       +
               }

     

       568
       +
             );

     

       569
       +
           }

     

       570
       +
           # netbird debug bundle related configurations

     

       571
       +
           {

     

       572
       +
             systemd.services = toClientAttrs (

     

       573
       +
               client:

     

       574
       +
               nameValuePair client.service.name {

     

       575
       +
                 /*

     

       576
       +
                   lets NetBird daemon know which systemd service to gather logs for

     

       577
       +
                   see https://github.com/netbirdio/netbird/blob/2c87fa623654c5eef76bc0226062290201eef13a/client/internal/debug/debug_linux.go#L50-L51

     

       578
       +
                 */

     

       579
       +
                 environment.SYSTEMD_UNIT = client.service.name;

     

       580
       +
       

     

       581
       +
                 path =

     

       582
       +
                   optionals config.networking.nftables.enable [ pkgs.nftables ]

     

       583
       +
                   ++ optionals (!config.networking.nftables.enable) [

     

       584
       +
                     pkgs.iptables

     

       585
       +
                     pkgs.ipset

     

       586
       +
                   ];

     

       587
       +
               }

     

       588
       +
             );

     

       589
       +
             users.users = toHardenedClientAttrs (

     

       590
       +
               client:

     

       591
       +
               nameValuePair client.user.name {

     

       592
       +
                 extraGroups = [

     

       593
       +
                   /*

     

       594
       +
                     allows debug bundles to gather systemd logs for `netbird*.service`

     

       595
       +
                     this is not ideal for hardening as it grants access to the whole journal, not just own logs

     

       596
       +
                   */

     

       597
       +
                   "systemd-journal"

     

       598
       +
                 ];

     

       599
        
               }

     

       600
        
             );

     

       601
        
           }