diff --git a/modules/geth/default.nix b/modules/geth/default.nix index e6ad580b9..4a8a8785e 100644 --- a/modules/geth/default.nix +++ b/modules/geth/default.nix @@ -19,6 +19,8 @@ flatten mapAttrs' mapAttrsToList + mkDefault + mkForce mkIf mkMerge nameValuePair @@ -121,13 +123,24 @@ in { serviceConfig = mkMerge [ baseServiceConfig { - User = serviceName; - StateDirectory = serviceName; - ExecStart = "${cfg.package}/bin/geth ${scriptArgs}"; + User = + if cfg.user != null + then cfg.user + else mkDefault serviceName; + StateDirectory = mkDefault serviceName; + ExecStart = mkDefault "${cfg.package}/bin/geth ${scriptArgs}"; } (mkIf (cfg.args.authrpc.jwtsecret != null) { LoadCredential = ["jwtsecret:${cfg.args.authrpc.jwtsecret}"]; }) + (mkIf (!cfg.dynamicUser) { + DynamicUser = mkForce false; + RemoveIPC = mkDefault true; + PrivateTmp = mkDefault true; + NoNewPrivileges = mkDefault "strict"; + RestrictSUIDSGID = mkDefault true; + ProtectSystem = mkDefault true; + }) ]; }) ) diff --git a/modules/geth/options.nix b/modules/geth/options.nix index e1392ae07..ce51fa1e6 100644 --- a/modules/geth/options.nix +++ b/modules/geth/options.nix @@ -11,6 +11,18 @@ inherit args; + dynamicUser = mkOption { + type = types.bool; + default = true; + description = "Whether to use systemd's DynamicUser feature."; + }; + + user = mkOption { + type = types.nullOr types.str; + default = null; + description = "User to run the service as."; + }; + extraArgs = mkOption { type = types.listOf types.str; description = "Additional arguments to pass to Go Ethereum.";