nixos/uhub: fix plugins, set CAP_NET_BIND_SERVICE

Fix generation of the plugins configuration and allow binding to "privileged" ports.
2025-01-08 22:57:42 +03:00 · 2022-06-05 11:14:37 -05:00 · 2022-06-05 11:14:37 -05:00 · 2d012163f2
commit 2d012163f2
parent bad676c7ed
1 changed files with 9 additions and 5 deletions
--- a/nixos/modules/services/misc/uhub.nix
+++ b/nixos/modules/services/misc/uhub.nix
@ -80,11 +80,12 @@ in {
          tls_enable = cfg.enableTLS;
          file_plugins = pkgs.writeText "uhub-plugins.conf"
            (lib.strings.concatStringsSep "\n" (map ({ plugin, settings }:
-              "plugin ${plugin} ${
+              ''
+                plugin ${plugin} "${
                  toString
-                (lib.attrsets.mapAttrsToList (key: value: ''"${key}=${value}"'')
+                  (lib.attrsets.mapAttrsToList (key: value: "${key}=${value}")
                    settings)
-              }") cfg.plugins));
+                }"'') cfg.plugins));
        };
      in {
        name = "uhub/${name}.conf";
@ -104,6 +105,9 @@ in {
          ExecStart = "${pkg}/bin/uhub -c /etc/uhub/${name}.conf -L";
          ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
          DynamicUser = true;
+
+          AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+          CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
        };
      };
    }) hubs;