diff options
| author | Jörg Thalheim <joerg@thalheim.io> | 2020-02-12 16:34:10 +0000 |
|---|---|---|
| committer | Jörg Thalheim <joerg@thalheim.io> | 2020-02-12 16:34:10 +0000 |
| commit | 88029bce39bd485fc07f1b2aa111c3ee9d12e684 (patch) | |
| tree | 6750720e9c89b472f9df93d1ab03fcda0d12ecff /nixos/modules | |
| parent | 6adc09ed308e088481728c7f25ecabf609764254 (diff) | |
| download | nixlib-88029bce39bd485fc07f1b2aa111c3ee9d12e684.tar nixlib-88029bce39bd485fc07f1b2aa111c3ee9d12e684.tar.gz nixlib-88029bce39bd485fc07f1b2aa111c3ee9d12e684.tar.bz2 nixlib-88029bce39bd485fc07f1b2aa111c3ee9d12e684.tar.lz nixlib-88029bce39bd485fc07f1b2aa111c3ee9d12e684.tar.xz nixlib-88029bce39bd485fc07f1b2aa111c3ee9d12e684.tar.zst nixlib-88029bce39bd485fc07f1b2aa111c3ee9d12e684.zip | |
knot: drop dynamic user
This makes it hard to include secret files. Also using tools like keymgr becomes harder.
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/services/networking/knot.nix | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/knot.nix b/nixos/modules/services/networking/knot.nix index 47364ecb8464..6d0bb23846fb 100644 --- a/nixos/modules/services/networking/knot.nix +++ b/nixos/modules/services/networking/knot.nix @@ -65,6 +65,13 @@ in { }; config = mkIf config.services.knot.enable { + users.users.knot = { + isSystemUser = true; + group = "knot"; + description = "Knot daemon user"; + }; + + users.groups.knot.gid = null; systemd.services.knot = { unitConfig.Documentation = "man:knotd(8) man:knot.conf(5) man:knotc(8) https://www.knot-dns.cz/docs/${cfg.package.version}/html/"; description = cfg.package.meta.description; @@ -79,7 +86,7 @@ in { CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETPCAP"; AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETPCAP"; NoNewPrivileges = true; - DynamicUser = "yes"; + User = "knot"; RuntimeDirectory = "knot"; StateDirectory = "knot"; StateDirectoryMode = "0700"; |