tinc: use DynamicUser

This commit is contained in:
tv 2023-05-15 13:31:19 +02:00
parent 882bbfd606
commit e3c8492f30

View File

@ -190,35 +190,16 @@ with import <stockholm/lib>;
default = 3; default = 3;
}; };
user = mkOption { username = mkOption {
type = types.user; type = types.username;
default = { default = tinc.config.netname;
name = tinc.config.netname; defaultText = literalExample "netname";
home = "/var/lib/${tinc.config.user.name}";
};
defaultText = {
name = "netname";
home = "/var/lib/netname";
};
}; };
}; };
})); }));
}; };
config = { config = {
users.users = mapAttrs' (netname: cfg:
nameValuePair "${netname}" {
inherit (cfg.user) home name uid;
createHome = true;
isSystemUser = true;
group = netname;
}
) config.krebs.tinc;
users.groups = mapAttrs' (netname: cfg:
nameValuePair netname {}
) config.krebs.tinc;
krebs.systemd.services = mapAttrs (netname: cfg: { krebs.systemd.services = mapAttrs (netname: cfg: {
restartIfCredentialsChange = true; restartIfCredentialsChange = true;
}) config.krebs.tinc; }) config.krebs.tinc;
@ -238,11 +219,11 @@ with import <stockholm/lib>;
) )
"rsa_key.priv:${cfg.privkey}" "rsa_key.priv:${cfg.privkey}"
]; ];
ExecStartPre = pkgs.writers.writeDash "init-tinc-${netname}" '' ExecStartPre = "+" + pkgs.writers.writeDash "init-tinc-${netname}" ''
set -efu set -efu
${pkgs.coreutils}/bin/mkdir -p /etc/tinc ${pkgs.coreutils}/bin/mkdir -p /etc/tinc
${pkgs.rsync}/bin/rsync -Lacv --delete \ ${pkgs.rsync}/bin/rsync -Lacv --delete \
--chown ${cfg.user.name} \ --chown ${cfg.username} \
--chmod u=rwX,g=rX \ --chmod u=rwX,g=rX \
--exclude='/*.priv' \ --exclude='/*.priv' \
${cfg.confDir}/ /etc/tinc/${netname}/ ${cfg.confDir}/ /etc/tinc/${netname}/
@ -255,14 +236,16 @@ with import <stockholm/lib>;
"$CREDENTIALS_DIRECTORY"/rsa_key.priv \ "$CREDENTIALS_DIRECTORY"/rsa_key.priv \
/etc/tinc/${netname}/ /etc/tinc/${netname}/
''; '';
ExecStart = toString [ ExecStart = "+" + toString [
"${cfg.tincPackage}/sbin/tincd" "${cfg.tincPackage}/sbin/tincd"
"-D" "-D"
"-U ${cfg.user.name}" "-U ${cfg.username}"
"-d 0" "-d 0"
"-n ${netname}" "-n ${netname}"
]; ];
SyslogIdentifier = netname; SyslogIdentifier = netname;
DynamicUser = true;
User = cfg.username;
}; };
}) config.krebs.tinc; }) config.krebs.tinc;
}; };