diff options
author | Jörg Thalheim <joerg@thalheim.io> | 2020-02-12 16:34:10 +0000 |
---|---|---|
committer | Jörg Thalheim <joerg@thalheim.io> | 2020-02-12 16:34:10 +0000 |
commit | 88029bce39bd485fc07f1b2aa111c3ee9d12e684 (patch) | |
tree | 6750720e9c89b472f9df93d1ab03fcda0d12ecff /nixos/modules | |
parent | 6adc09ed308e088481728c7f25ecabf609764254 (diff) |
knot: drop dynamic user
This makes it hard to include secret files.
Also using tools like keymgr becomes harder.
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/networking/knot.nix | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/knot.nix b/nixos/modules/services/networking/knot.nix index 47364ecb8464..6d0bb23846fb 100644 --- a/nixos/modules/services/networking/knot.nix +++ b/nixos/modules/services/networking/knot.nix @@ -65,6 +65,13 @@ in { }; config = mkIf config.services.knot.enable { + users.users.knot = { + isSystemUser = true; + group = "knot"; + description = "Knot daemon user"; + }; + + users.groups.knot.gid = null; systemd.services.knot = { unitConfig.Documentation = "man:knotd(8) man:knot.conf(5) man:knotc(8) https://www.knot-dns.cz/docs/${cfg.package.version}/html/"; description = cfg.package.meta.description; @@ -79,7 +86,7 @@ in { CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETPCAP"; AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETPCAP"; NoNewPrivileges = true; - DynamicUser = "yes"; + User = "knot"; RuntimeDirectory = "knot"; StateDirectory = "knot"; StateDirectoryMode = "0700"; |