nixos/tests/acme: use CAP_NET_BIND_SERVICE

2020-03-23 17:58:36 +00:00 · 2020-03-23 17:58:36 +00:00 · 695fd78ac4
commit 695fd78ac4
parent d0f04c1623
2 changed files with 2 additions and 4 deletions
--- a/nixos/tests/acme.nix
+++ b/nixos/tests/acme.nix
@ -33,8 +33,7 @@ in import ./make-test-python.nix {
        serviceConfig = {
          ExecStart = "${pkgs.pebble}/bin/pebble-challtestsrv -dns01 ':53' -defaultIPv6 '' -defaultIPv4 '${nodes.webserver.config.networking.primaryIPAddress}'";
          # Required to bind on privileged ports.
-          User = "root";
-          Group = "root";
+          AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
        };
      };
    };
--- a/nixos/tests/common/acme/server/default.nix
+++ b/nixos/tests/common/acme/server/default.nix
@ -126,8 +126,7 @@ in {
        '';
        serviceConfig = {
          # Required to bind on privileged ports.
-          User = "root";
-          Group = "root";
+          AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
        };
      };
    };