From 51d1018b7ccd288f51f3ce0336174cf4cc3782b6 Mon Sep 17 00:00:00 2001
From: Sirio Balmelli <sirio@b-ad.ch>
Date: Mon, 4 Nov 2024 16:56:34 +0100
Subject: [PATCH] nixos/nebula: add CAP_NET_BIND_SERVICE when lighthouse node
 serves DNS

Serving DNS fails in the absence of CAP_NET_BIND_SERVICE.

Signed-off-by: Sirio Balmelli <sirio@b-ad.ch>
---
 nixos/modules/services/networking/nebula.nix | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/services/networking/nebula.nix b/nixos/modules/services/networking/nebula.nix
index 477731f3f5a49c..0c967af74f69a5 100644
--- a/nixos/modules/services/networking/nebula.nix
+++ b/nixos/modules/services/networking/nebula.nix
@@ -210,6 +210,11 @@ in
             ''
             settings
           );
+        capabilities = concatStringsSep " " ([
+          "CAP_NET_ADMIN"
+        ] ++ (optionals ((hasAttr "lighthouse.serve_dns" settings) && settings.lighthouse.serve_dns) [
+          "CAP_NET_BIND_SERVICE"
+        ]));
         in
         {
           # Create the systemd service for Nebula.
@@ -224,8 +229,8 @@ in
               Restart = "always";
               ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}";
               UMask = "0027";
-              CapabilityBoundingSet = "CAP_NET_ADMIN";
-              AmbientCapabilities = "CAP_NET_ADMIN";
+              CapabilityBoundingSet = capabilities;
+              AmbientCapabilities = capabilities;
               LockPersonality = true;
               NoNewPrivileges = true;
               PrivateDevices = false; # needs access to /dev/net/tun (below)