From 080774e28f421b6fb890cf4d6aff7caad8e9b32e Mon Sep 17 00:00:00 2001
From: oaksoaj <oaksoaj@riseup.net>
Date: Sat, 2 Jul 2022 16:34:59 +0200
Subject: [PATCH] yggdrasil: reenable DynamicUser

Since version 0.4 Yggdrasil works again using systemd's DynamicUser option.
This patch reenables it to improve security.

We tested this with both persistent and non-persistent keys. Everything
seems to work fine.
---
 .../modules/services/networking/yggdrasil.nix | 29 ++++---------------
 1 file changed, 6 insertions(+), 23 deletions(-)

diff --git a/nixos/modules/services/networking/yggdrasil.nix b/nixos/modules/services/networking/yggdrasil.nix
index 99c18ae6919e..8e88064a9071 100644
--- a/nixos/modules/services/networking/yggdrasil.nix
+++ b/nixos/modules/services/networking/yggdrasil.nix
@@ -60,13 +60,6 @@ in {
         '';
       };
 
-      group = mkOption {
-        type = types.str;
-        default = "root";
-        example = "wheel";
-        description = "Group to grant access to the Yggdrasil control socket.";
-      };
-
       openMulticastPort = mkOption {
         type = bool;
         default = false;
@@ -154,27 +147,17 @@ in {
         ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
         Restart = "always";
 
-        Group = cfg.group;
+        User = "yggdrasil";
+        DynamicUser = true;
+        StateDirectory = "yggdrasil";
         RuntimeDirectory = "yggdrasil";
         RuntimeDirectoryMode = "0750";
         BindReadOnlyPaths = lib.optional configFileProvided cfg.configFile
           ++ lib.optional cfg.persistentKeys keysPath;
+        ReadWritePaths = "/run/yggdrasil";
 
-        # TODO: as of yggdrasil 0.3.8 and systemd 243, yggdrasil fails
-        # to set up the network adapter when DynamicUser is set.  See
-        # github.com/yggdrasil-network/yggdrasil-go/issues/557.  The
-        # following options are implied by DynamicUser according to
-        # the systemd.exec documentation, and can be removed if the
-        # upstream issue is fixed and DynamicUser is set to true:
-        PrivateTmp = true;
-        RemoveIPC = true;
-        NoNewPrivileges = true;
-        ProtectSystem = "strict";
-        RestrictSUIDSGID = true;
-        # End of list of options implied by DynamicUser.
-
-        AmbientCapabilities = "CAP_NET_ADMIN";
-        CapabilityBoundingSet = "CAP_NET_ADMIN";
+        AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
+        CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
         MemoryDenyWriteExecute = true;
         ProtectControlGroups = true;
         ProtectHome = "tmpfs";