From 84e34391776962871e8d54711019302347843ff2 Mon Sep 17 00:00:00 2001
From: Sirio Balmelli <sirio@b-ad.ch>
Date: Wed, 6 Nov 2024 07:50:42 +0100
Subject: [PATCH] nixos/nebula: add CAP_NET_BIND_SERVICE when lighthouse node
 serves DNS

Serving DNS fails in the absence of CAP_NET_BIND_SERVICE.

Add self as maintainer: I'm using Nebula on NixOS in prod.

Signed-off-by: Sirio Balmelli <sirio@b-ad.ch>
---
 nixos/modules/services/networking/nebula.nix | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/nixos/modules/services/networking/nebula.nix b/nixos/modules/services/networking/nebula.nix
index 477731f3f5a49c..9f4f404116a413 100644
--- a/nixos/modules/services/networking/nebula.nix
+++ b/nixos/modules/services/networking/nebula.nix
@@ -210,6 +210,11 @@ in
             ''
             settings
           );
+        capabilities = concatStringsSep " " ([
+          "CAP_NET_ADMIN"
+        ] ++ (optionals (settings.lighthouse.serve_dns or false) [
+          "CAP_NET_BIND_SERVICE"
+        ]));
         in
         {
           # Create the systemd service for Nebula.
@@ -224,8 +229,8 @@ in
               Restart = "always";
               ExecStart = "${netCfg.package}/bin/nebula -config ${configFile}";
               UMask = "0027";
-              CapabilityBoundingSet = "CAP_NET_ADMIN";
-              AmbientCapabilities = "CAP_NET_ADMIN";
+              CapabilityBoundingSet = capabilities;
+              AmbientCapabilities = capabilities;
               LockPersonality = true;
               NoNewPrivileges = true;
               PrivateDevices = false; # needs access to /dev/net/tun (below)
@@ -270,5 +275,5 @@ in
     }) enabledNetworks);
   };
 
-  meta.maintainers = with maintainers; [ numinit ];
+  meta.maintainers = with maintainers; [ numinit siriobalmelli ];
 }