talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity

fixup! nixos/redlib: use upstream systemd service file

Browse Source
This commit is contained in:
Guanran Wang 2024-11-22 15:24:46 +08:00
parent 743d0ff90b
commit 4a0893c186
No known key found for this signature in database
GPG Key ID: 91F97D9ED12639CF
1 changed files with 20 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
nixos/modules/services/misc/redlib.nix
View File

@ -93,17 +93,26 @@ in
systemd.services.redlib = { systemd.services.redlib = {
wantedBy = [ "default.target" ]; wantedBy = [ "default.target" ];
environment = mapAttrs (_: v: if isBool v then boolToString' v else toString v) cfg.settings; environment = mapAttrs (_: v: if isBool v then boolToString' v else toString v) cfg.settings;
serviceConfig = { serviceConfig =
{
ExecStart = [ ExecStart = [
"" ""
"${lib.getExe cfg.package} ${args}" "${lib.getExe cfg.package} ${args}"
]; ];
AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; }
CapabilityBoundingSet = if (cfg.port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ]; // (
if (cfg.port < 1024) then
{
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
}
else
{
# A private user cannot have process capabilities on the host's user # A private user cannot have process capabilities on the host's user
# namespace and thus CAP_NET_BIND_SERVICE has no effect. # namespace and thus CAP_NET_BIND_SERVICE has no effect.
PrivateUsers = (cfg.port >= 1024); PrivateUsers = true;
}; }
);
}; };
networking.firewall = mkIf cfg.openFirewall { networking.firewall = mkIf cfg.openFirewall {