diff options
| author | Marillindiƫ <39322938+marillindie@users.noreply.github.com> | 2023-06-06 03:12:48 +0000 |
|---|---|---|
| committer | Emery Hemingway <ehmry@posteo.net> | 2023-06-11 09:03:50 +0100 |
| commit | e394dc22f95427311aa61b8b3cbf490483a4a753 (patch) | |
| tree | d0a6d0d4766ecbf77776eae2ad40518704809d13 /nixos | |
| parent | 954d3794ae89e5cdd27714954e9d59c3f5de1aae (diff) | |
| download | nixlib-e394dc22f95427311aa61b8b3cbf490483a4a753.tar nixlib-e394dc22f95427311aa61b8b3cbf490483a4a753.tar.gz nixlib-e394dc22f95427311aa61b8b3cbf490483a4a753.tar.bz2 nixlib-e394dc22f95427311aa61b8b3cbf490483a4a753.tar.lz nixlib-e394dc22f95427311aa61b8b3cbf490483a4a753.tar.xz nixlib-e394dc22f95427311aa61b8b3cbf490483a4a753.tar.zst nixlib-e394dc22f95427311aa61b8b3cbf490483a4a753.zip | |
xray: allow binding lower ports
Set CapabilityBoundingSet, AmbientCapabilities and NoNewPrivileges as described in XTLS/xray-install.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/networking/xray.nix | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/xray.nix b/nixos/modules/services/networking/xray.nix index e2fd83c4dfd9..83655a2f88ef 100644 --- a/nixos/modules/services/networking/xray.nix +++ b/nixos/modules/services/networking/xray.nix @@ -90,6 +90,9 @@ with lib; serviceConfig = { DynamicUser = true; ExecStart = "${cfg.package}/bin/xray -config ${settingsFile}"; + CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE"; + AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE"; + NoNewPrivileges = true; }; }; }; |