-
-
Notifications
You must be signed in to change notification settings - Fork 14.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/nebula: add CAP_NET_BIND_SERVICE when lighthouse node serves DNS #353665
base: master
Are you sure you want to change the base?
Conversation
4fdd4f0
to
51d1018
Compare
51d1018
to
3198924
Compare
@numinit I would appreciate your review on this 🙏 |
3198924
to
84e3439
Compare
@@ -210,6 +210,11 @@ in | |||
'' | |||
settings | |||
); | |||
capabilities = concatStringsSep " " ([ | |||
"CAP_NET_ADMIN" | |||
] ++ (optionals (settings.lighthouse.serve_dns or false) [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This condition should probably be:
let
nebulaPort = settings.listen.port;
dnsPort = if (settings.lighthouse.serve_dns or false) then settings.lighthouse.dns.port or -1 else -1;
in nebulaPort > 0 && nebulaPort < 1024 || dnsPort > 0 && dnsPort < 1024;
Do you mind adding services.nebula.networks.<name>.dns.{enable,port,host}
as well? The port should likely default to 5353 so we don't need the extra capability.
May be worth updating the NixOS test too. |
84e3439
to
9715721
Compare
ae7d05c
to
2ceb113
Compare
Add the options: - lighthouse.serve_dns - lighthouse.dns.host - lighthouse.dns.port Improve systemd capabilities handling: - do not give CAP_NET_ADMIN when tunnel interface is disabled - give CAP_NET_BIND_SERVICE when DNS is enabled Add self as maintainer: I'm using Nebula on NixOS in prod. Signed-off-by: Sirio Balmelli <[email protected]>
2ceb113
to
f77e832
Compare
Hey, thanks for taking this btw! Let me know if you need any help getting it across the finish line. |
Serving DNS fails in the absence of CAP_NET_BIND_SERVICE.
Things done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a 👍 reaction to pull requests you find important.