colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

networkmanager: run all services as root instead of networkmanager user

Browse Source 
i believe this may allow using bwrap instead of landlock
This commit is contained in:
Colin 2024-05-31 09:58:13 +00:00
parent c7eb4b66a5
commit 214f963d89
2 changed files with 16 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
hosts/common/programs/networkmanager.nix
View File

@ -13,10 +13,10 @@ in
{
sane.programs.networkmanager = {
packageUnwrapped = pkgs.networkmanager.overrideAttrs (upstream: {
postPatch = (upstream.postPatch or "") + ''
substituteInPlace src/{core/org.freedesktop.NetworkManager,nm-dispatcher/nm-dispatcher}.conf --replace-fail \
'user="root"' 'user="networkmanager"'
'';
# postPatch = (upstream.postPatch or "") + ''
# substituteInPlace src/{core/org.freedesktop.NetworkManager,nm-dispatcher/nm-dispatcher}.conf --replace-fail \
# 'user="root"' 'user="networkmanager"'
# '';
# remove unused services to prevent any unexpected interactions
postFixup = (upstream.postFixup or "") + ''
rm $out/etc/systemd/system/{nm-cloud-setup.service,nm-cloud-setup.timer,nm-priv-helper.service}
@ -66,8 +66,8 @@ in
path = [ "/run/current-system/sw" ]; #< so it can find `sanebox`
serviceConfig.RuntimeDirectory = "NetworkManager"; #< tells systemd to create /run/NetworkManager
serviceConfig.StateDirectory = "NetworkManager"; #< tells systemd to create /var/lib/NetworkManager
serviceConfig.User = "networkmanager";
serviceConfig.Group = "networkmanager";
# serviceConfig.User = "networkmanager";
# serviceConfig.Group = "networkmanager";
serviceConfig.AmbientCapabilities = [
# "CAP_DAC_OVERRIDE"
"CAP_NET_ADMIN"
@ -82,8 +82,8 @@ in
systemd.services.NetworkManager-wait-online = {
path = [ "/run/current-system/sw" ]; #< so `nm-online` can find `sanebox`
wantedBy = [ "network-online.target" ];
serviceConfig.User = "networkmanager";
serviceConfig.Group = "networkmanager";
# serviceConfig.User = "networkmanager";
# serviceConfig.Group = "networkmanager";
};
systemd.services.NetworkManager-dispatcher = {
@ -97,8 +97,8 @@ in
];
serviceConfig.Restart = "always";
serviceConfig.RestartSec = "1s";
serviceConfig.User = "networkmanager";
serviceConfig.Group = "networkmanager";
# serviceConfig.User = "networkmanager";
# serviceConfig.Group = "networkmanager";
};
environment.etc = {

12
hosts/common/programs/wpa_supplicant.nix
View File

@ -7,10 +7,10 @@ in
{
sane.programs.wpa_supplicant = {
packageUnwrapped = pkgs.wpa_supplicant.overrideAttrs (upstream: {
postPatch = (upstream.postPatch or "") + ''
substituteInPlace wpa_supplicant/dbus/dbus-wpa_supplicant.conf --replace-fail \
'user="root"' 'user="networkmanager"'
'';
# postPatch = (upstream.postPatch or "") + ''
# substituteInPlace wpa_supplicant/dbus/dbus-wpa_supplicant.conf --replace-fail \
# 'user="root"' 'user="networkmanager"'
# '';
# nixpkgs wpa_supplicant generates a dbus file which has a path like
# /nix/store/abc-wpa_supplicant/nix/store/abc-wpa_supplicant/sbin/...
# upstreaming status: <https://github.com/NixOS/nixpkgs/pull/315346>
@ -43,8 +43,8 @@ in
systemd.packages = [ cfg.package ]; #< needs to be on systemd.packages so we get its service file
systemd.services.wpa_supplicant = {
path = [ "/run/current-system/sw" ]; #< so it can find `sanebox`
serviceConfig.User = "networkmanager";
serviceConfig.Group = "networkmanager";
# serviceConfig.User = "networkmanager";
# serviceConfig.Group = "networkmanager";
serviceConfig.AmbientCapabilities = [
"CAP_NET_ADMIN"
"CAP_NET_RAW"