talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity

fixup! nixos/redlib: use upstream systemd service file

Browse Source
This commit is contained in:
Guanran Wang 2024-11-22 15:24:46 +08:00
parent 743d0ff90b
commit 4a0893c186
No known key found for this signature in database
GPG Key ID: 91F97D9ED12639CF
1 changed files with 20 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
nixos/modules/services/misc/redlib.nix
View File

@ -93,17 +93,26 @@ in
systemd.services.redlib = { systemd.services.redlib = {
wantedBy = [ "default.target" ]; wantedBy = [ "default.target" ];
environment = mapAttrs (_: v: if isBool v then boolToString' v else toString v) cfg.settings; environment = mapAttrs (_: v: if isBool v then boolToString' v else toString v) cfg.settings;
serviceConfig = { serviceConfig =
ExecStart = [ {
"" ExecStart = [
"${lib.getExe cfg.package} ${args}" ""
]; "${lib.getExe cfg.package} ${args}"
AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; ];
CapabilityBoundingSet = if (cfg.port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ]; }
# A private user cannot have process capabilities on the host's user // (
# namespace and thus CAP_NET_BIND_SERVICE has no effect. if (cfg.port < 1024) then
PrivateUsers = (cfg.port >= 1024); {
}; AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
}
else
{
# A private user cannot have process capabilities on the host's user
# namespace and thus CAP_NET_BIND_SERVICE has no effect.
PrivateUsers = true;
}
);
}; };
networking.firewall = mkIf cfg.openFirewall { networking.firewall = mkIf cfg.openFirewall {