nixos/bird: run service as non-root user, add test for reload

nixos/modules/services/networking/bird.nix

@@ -4,6 +4,7 @@ let
   inherit (lib) mkEnableOption mkIf mkOption optionalString types;
 
   cfg = config.services.bird2;
+  caps = [ "CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW" ];
 in
 {
   ###### interface
@@ -72,21 +73,14 @@ in
       serviceConfig = {
         Type = "forking";
         Restart = "on-failure";
-        # We need to start as root so bird can open netlink sockets i.e. for ospf
-        ExecStart = "${pkgs.bird}/bin/bird -c /etc/bird/bird2.conf -u bird2 -g bird2";
-        ExecReload = "/bin/sh -c '${pkgs.bird}/bin/bird -c /etc/bird/bird2.conf -p && ${pkgs.bird}/bin/birdc configure'";
+        User = "bird2";
+        Group = "bird2";
+        ExecStart = "${pkgs.bird}/bin/bird -c /etc/bird/bird2.conf";
+        ExecReload = "${pkgs.bird}/bin/birdc configure";
         ExecStop = "${pkgs.bird}/bin/birdc down";
         RuntimeDirectory = "bird";
-        CapabilityBoundingSet = [
-          "CAP_CHOWN"
-          "CAP_FOWNER"
-          "CAP_SETUID"
-          "CAP_SETGID"
-          "CAP_NET_ADMIN"
-          "CAP_NET_BROADCAST"
-          "CAP_NET_BIND_SERVICE"
-          "CAP_NET_RAW"
-        ];
+        CapabilityBoundingSet = caps;
+        AmbientCapabilities = caps;
         ProtectSystem = "full";
         ProtectHome = "yes";
         ProtectKernelTunables = true;

nixos/tests/bird.nix

@@ -110,6 +110,7 @@ makeTest {
 
     host1.wait_for_unit("bird2.service")
     host2.wait_for_unit("bird2.service")
+    host1.succeed("systemctl reload bird2.service")
 
     with subtest("Waiting for advertised IPv4 routes"):
       host1.wait_until_succeeds("ip --json r | jq -e 'map(select(.dst == \"10.10.0.2\")) | any'")