feat: restrict netbird access

2024-03-30 20:47:52 +01:00 · 2024-03-30 20:47:52 +01:00 · b8a5e48e85
parent 8b45dc4d7e
commit b8a5e48e85
1 changed files with 5 additions and 13 deletions
--- a/modules/netbird-client.nix
+++ b/modules/netbird-client.nix
@ -148,19 +148,6 @@ in {
        cfg.tunnels
      );

-      systemd.tmpfiles.settings."10-netbird-access" = lib.flip lib.mapAttrs' cfg.tunnels (
-        _: {
-          stateDir,
-          userAccess,
-          ...
-        }: (nameValuePair "/run/${stateDir}" {
-          d.mode =
-            if userAccess
-            then "0755"
-            else "0750";
-        })
-      );
-
      systemd.services =
        mapAttrs'
        (
@ -168,6 +155,7 @@ in {
            environment,
            stateDir,
            environmentFile,
+            userAccess,
            ...
          }:
            nameValuePair "netbird-${name}" {
@ -190,6 +178,10 @@ in {
                StateDirectory = stateDir;
                StateDirectoryMode = "0700";
                WorkingDirectory = "/var/lib/${stateDir}";
+                RuntimeDirectoryMode =
+                  if userAccess
+                  then "0755"
+                  else "0750";

                # hardening
                LockPersonality = true;