BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Revert "Revert "nixos/dhcpd: switch to DynamicUser""

Browse source 
This reverts commit 0e5dab9db7,
thus bringing back dd9883b2fb.
This commit is contained in:
rnhmjoj 2022-01-19 19:34:20 +01:00
parent 82500ee3bc
commit 59e51f359b
No known key found for this signature in database
GPG key ID: BFBAF4C975F76450
1 changed files with 44 additions and 49 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

93
nixos/modules/services/networking/dhcpd.nix
View file

@ -28,38 +28,45 @@ let
} }
''; '';
dhcpdService = postfix: cfg: optionalAttrs cfg.enable { dhcpdService = postfix: cfg:
"dhcpd${postfix}" = { let
description = "DHCPv${postfix} server"; configFile =
wantedBy = [ "multi-user.target" ]; if cfg.configFile != null
after = [ "network.target" ]; then cfg.configFile
else writeConfig cfg;
leaseFile = "/var/lib/dhcpd${postfix}/dhcpd.leases";
args = [
"@${pkgs.dhcp}/sbin/dhcpd" "dhcpd${postfix}" "-${postfix}"
"-pf" "/run/dhcpd${postfix}/dhcpd.pid"
"-cf" configFile
"-lf" leaseFile
] ++ cfg.extraFlags
++ cfg.interfaces;
in
optionalAttrs cfg.enable {
"dhcpd${postfix}" = {
description = "DHCPv${postfix} server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
preStart = '' preStart = "touch ${leaseFile}";
mkdir -m 755 -p ${cfg.stateDir} serviceConfig = {
chown dhcpd:nogroup ${cfg.stateDir} ExecStart = concatMapStringsSep " " escapeShellArg args;
touch ${cfg.stateDir}/dhcpd.leases Type = "forking";
''; Restart = "always";
DynamicUser = true;
serviceConfig = User = "dhcpd";
let Group = "dhcpd";
configFile = if cfg.configFile != null then cfg.configFile else writeConfig cfg; AmbientCapabilities = [
args = [ "@${pkgs.dhcp}/sbin/dhcpd" "dhcpd${postfix}" "-${postfix}" "CAP_NET_RAW" # to send ICMP messages
"-pf" "/run/dhcpd${postfix}/dhcpd.pid" "CAP_NET_BIND_SERVICE" # to bind on DHCP port (67)
"-cf" "${configFile}" ];
"-lf" "${cfg.stateDir}/dhcpd.leases" StateDirectory = "dhcpd${postfix}";
"-user" "dhcpd" "-group" "nogroup" RuntimeDirectory = "dhcpd${postfix}";
] ++ cfg.extraFlags PIDFile = "/run/dhcpd${postfix}/dhcpd.pid";
++ cfg.interfaces; };
in {
ExecStart = concatMapStringsSep " " escapeShellArg args;
Type = "forking";
Restart = "always";
RuntimeDirectory = [ "dhcpd${postfix}" ];
PIDFile = "/run/dhcpd${postfix}/dhcpd.pid";
}; };
}; };
};
machineOpts = { ... }: { machineOpts = { ... }: {
@ -102,15 +109,6 @@ let
''; '';
}; };
stateDir = mkOption {
type = types.path;
# We use /var/lib/dhcp for DHCPv4 to save backwards compatibility.
default = "/var/lib/dhcp${if postfix == "4" then "" else postfix}";
description = ''
State directory for the DHCP server.
'';
};
extraConfig = mkOption { extraConfig = mkOption {
type = types.lines; type = types.lines;
default = ""; default = "";
@ -194,7 +192,13 @@ in
imports = [ imports = [
(mkRenamedOptionModule [ "services" "dhcpd" ] [ "services" "dhcpd4" ]) (mkRenamedOptionModule [ "services" "dhcpd" ] [ "services" "dhcpd4" ])
]; ] ++ flip map [ "4" "6" ] (postfix:
mkRemovedOptionModule [ "services" "dhcpd${postfix}" "stateDir" ] ''
The DHCP server state directory is now managed with the systemd's DynamicUser mechanism.
This means the directory is named after the service (dhcpd${postfix}), created under
/var/lib/private/ and symlinked to /var/lib/.
''
);
###### interface ###### interface
@ -210,15 +214,6 @@ in
config = mkIf (cfg4.enable || cfg6.enable) { config = mkIf (cfg4.enable || cfg6.enable) {
users = {
users.dhcpd = {
isSystemUser = true;
group = "dhcpd";
description = "DHCP daemon user";
};
groups.dhcpd = {};
};
systemd.services = dhcpdService "4" cfg4 // dhcpdService "6" cfg6; systemd.services = dhcpdService "4" cfg4 // dhcpdService "6" cfg6;
}; };