feat: restrict netbird access

2024-03-30 20:47:52 +01:00 · 2024-03-30 20:47:52 +01:00 · b8a5e48e85
parent 8b45dc4d7e
commit b8a5e48e85
1 changed files with 5 additions and 13 deletions
--- a/modules/netbird-client.nix
+++ b/modules/netbird-client.nix
@ -148,19 +148,6 @@ in {
        cfg.tunnels
      );
      systemd.tmpfiles.settings."10-netbird-access" = lib.flip lib.mapAttrs' cfg.tunnels (
        _: {
          stateDir,
          userAccess,
          ...
        }: (nameValuePair "/run/${stateDir}" {
          d.mode =
            if userAccess
            then "0755"
            else "0750";
        })
      );
      systemd.services =
        mapAttrs'
        (
@ -168,6 +155,7 @@ in {
            environment,
            stateDir,
            environmentFile,
            userAccess,
            ...
          }:
            nameValuePair "netbird-${name}" {
@ -190,6 +178,10 @@ in {
                StateDirectory = stateDir;
                StateDirectoryMode = "0700";
                WorkingDirectory = "/var/lib/${stateDir}";
                RuntimeDirectoryMode =
                  if userAccess
                  then "0755"
                  else "0750";
                # hardening
                LockPersonality = true;