pyrox.dev
lol
tinc: chroot option
+11
-1
+11
-1
nixos/modules/services/networking/tinc.nix
+11
-1
nixos/modules/services/networking/tinc.nix
···
95
95
'';
96
96
};
97
97
98
+
chroot = mkOption {
99
+
default = true;
100
+
type = types.bool;
101
+
description = ''
102
+
Change process root directory to the directory where the config file is located (/etc/tinc/netname/), for added security.
103
+
The chroot is performed after all the initialization is done, after writing pid files and opening network sockets.
104
+
105
+
Note that tinc can't run scripts anymore (such as tinc-down or host-up), unless it is setup to be runnable inside chroot environment.
106
+
'';
107
+
};
98
108
};
99
109
};
100
110
};
···
166
176
fi
167
177
'';
168
178
script = ''
169
-
tincd -R -D -U tinc.${network} -n ${network} --pidfile /run/tinc.${network}.pid -d ${toString data.debugLevel}
179
+
tincd -D -U tinc.${network} -n ${network} ${optionalString (data.chroot) "-R"} --pidfile /run/tinc.${network}.pid -d ${toString data.debugLevel}
170
180
'';
171
181
})
172
182
);