nixos/nebula: add CAP_NET_BIND_SERVICE when lighthouse node serves DNS

Serving DNS fails in the absence of CAP_NET_BIND_SERVICE. Add self as maintainer: I'm using Nebula on NixOS in prod. Signed-off-by: Sirio Balmelli <[email protected]>
NixOS · Nov 14, 2024 · 84e3439 · 84e3439
1 parent 6efe194
commit 84e3439
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/nixos/modules/services/networking/nebula.nix b/nixos/modules/services/networking/nebula.nix
@@ -210,6 +210,11 @@ in
             ''
             settings
           );
+        capabilities = concatStringsSep " " ([
+          "CAP_NET_ADMIN"
+        ] ++ (optionals (settings.lighthouse.serve_dns or false) [
+          "CAP_NET_BIND_SERVICE"
+        ]));
         in
         {
           # Create the systemd service for Nebula.
@@ -224,8 +229,8 @@ in
               Restart = "always";
               ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}";
               UMask = "0027";
-              CapabilityBoundingSet = "CAP_NET_ADMIN";
-              AmbientCapabilities = "CAP_NET_ADMIN";
+              CapabilityBoundingSet = capabilities;
+              AmbientCapabilities = capabilities;
               LockPersonality = true;
               NoNewPrivileges = true;
               PrivateDevices = false; # needs access to /dev/net/tun (below)
@@ -270,5 +275,5 @@ in
     }) enabledNetworks);
   };
 
-  meta.maintainers = with maintainers; [ numinit ];
+  meta.maintainers = with maintainers; [ numinit siriobalmelli ];
 }