pyrox.dev / nixpkgs
lol
fork atom

nixos/netbird: add SYSTEMD_UNIT to pick up logs in debug bundles (#444043)

authored by

Sandro and committed by
GitHub 604a820c ac581d18

+33 -8
+33 -8
nixos/modules/services/networking/netbird.nix
··· 543 543 after = [ "network.target" ]; 544 544 wantedBy = [ "multi-user.target" ]; 545 545 546 - path = 547 - optionals (!config.services.resolved.enable) [ pkgs.openresolv ] 548 - # useful for `netbird debug` system info gathering 549 - ++ optionals config.networking.nftables.enable [ pkgs.nftables ] 550 - ++ optionals (!config.networking.nftables.enable) [ 551 - pkgs.iptables 552 - pkgs.ipset 553 - ]; 546 + path = optionals (!config.services.resolved.enable) [ pkgs.openresolv ]; 554 547 555 548 serviceConfig = { 556 549 ExecStart = "${getExe client.wrapper} service run"; ··· 571 564 }; 572 565 573 566 stopIfChanged = false; 567 + } 568 + ); 569 + } 570 + # netbird debug bundle related configurations 571 + { 572 + systemd.services = toClientAttrs ( 573 + client: 574 + nameValuePair client.service.name { 575 + /* 576 + lets NetBird daemon know which systemd service to gather logs for 577 + see https://github.com/netbirdio/netbird/blob/2c87fa623654c5eef76bc0226062290201eef13a/client/internal/debug/debug_linux.go#L50-L51 578 + */ 579 + environment.SYSTEMD_UNIT = client.service.name; 580 + 581 + path = 582 + optionals config.networking.nftables.enable [ pkgs.nftables ] 583 + ++ optionals (!config.networking.nftables.enable) [ 584 + pkgs.iptables 585 + pkgs.ipset 586 + ]; 587 + } 588 + ); 589 + users.users = toHardenedClientAttrs ( 590 + client: 591 + nameValuePair client.user.name { 592 + extraGroups = [ 593 + /* 594 + allows debug bundles to gather systemd logs for `netbird*.service` 595 + this is not ideal for hardening as it grants access to the whole journal, not just own logs 596 + */ 597 + "systemd-journal" 598 + ]; 574 599 } 575 600 ); 576 601 }