From b8a5e48e859e37cf1427538c890a5223827958c5 Mon Sep 17 00:00:00 2001
From: Patrick <patrick@failmail.dev>
Date: Sat, 30 Mar 2024 20:47:52 +0100
Subject: [PATCH] feat: restrict netbird access

---
 modules/netbird-client.nix | 18 +++++-------------
 1 file changed, 5 insertions(+), 13 deletions(-)

diff --git a/modules/netbird-client.nix b/modules/netbird-client.nix
index ebc223e..297ca57 100644
--- a/modules/netbird-client.nix
+++ b/modules/netbird-client.nix
@@ -148,19 +148,6 @@ in {
         cfg.tunnels
       );
 
-      systemd.tmpfiles.settings."10-netbird-access" = lib.flip lib.mapAttrs' cfg.tunnels (
-        _: {
-          stateDir,
-          userAccess,
-          ...
-        }: (nameValuePair "/run/${stateDir}" {
-          d.mode =
-            if userAccess
-            then "0755"
-            else "0750";
-        })
-      );
-
       systemd.services =
         mapAttrs'
         (
@@ -168,6 +155,7 @@ in {
             environment,
             stateDir,
             environmentFile,
+            userAccess,
             ...
           }:
             nameValuePair "netbird-${name}" {
@@ -190,6 +178,10 @@ in {
                 StateDirectory = stateDir;
                 StateDirectoryMode = "0700";
                 WorkingDirectory = "/var/lib/${stateDir}";
+                RuntimeDirectoryMode =
+                  if userAccess
+                  then "0755"
+                  else "0750";
 
                 # hardening
                 LockPersonality = true;