nixos/nebula: add CAP_NET_BIND_SERVICE when lighthouse node serves DNS

Serving DNS fails in the absence of CAP_NET_BIND_SERVICE. Signed-off-by: Sirio Balmelli <[email protected]>
NixOS · Nov 5, 2024 · 4fdd4f0 · 4fdd4f0
1 parent a61cd8f
commit 4fdd4f0
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/nixos/modules/services/networking/nebula.nix b/nixos/modules/services/networking/nebula.nix
@@ -210,6 +210,11 @@ in
             ''
             settings
           );
+        capabilities = concatStringsSep " " ([
+          "CAP_NET_ADMIN"
+        ] ++ (optionals ((hasAttr "lighthouse.serve_dns" settings) && settings.lighthouse.serve_dns) [
+          "CAP_NET_BIND_SERVICE"
+        ]));
         in
         {
           # Create the systemd service for Nebula.
@@ -224,8 +229,8 @@ in
               Restart = "always";
               ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}";
               UMask = "0027";
-              CapabilityBoundingSet = "CAP_NET_ADMIN";
-              AmbientCapabilities = "CAP_NET_ADMIN";
+              CapabilityBoundingSet = capabilities;
+              AmbientCapabilities = capabilities;
               LockPersonality = true;
               NoNewPrivileges = true;
               PrivateDevices = false; # needs access to /dev/net/tun (below)