fixup! nixos/redlib: use upstream systemd service file

2024-11-22 15:24:46 +08:00 · 2024-11-22 15:24:46 +08:00 · 4a0893c186
commit 4a0893c186
parent 743d0ff90b
1 changed files with 20 additions and 11 deletions
--- a/nixos/modules/services/misc/redlib.nix
+++ b/nixos/modules/services/misc/redlib.nix
@ -93,17 +93,26 @@ in
    systemd.services.redlib = {
      wantedBy = [ "default.target" ];
      environment = mapAttrs (_: v: if isBool v then boolToString' v else toString v) cfg.settings;
-      serviceConfig = {
-        ExecStart = [
-          ""
-          "${lib.getExe cfg.package} ${args}"
-        ];
-        AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
-        CapabilityBoundingSet = if (cfg.port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ];
-        # A private user cannot have process capabilities on the host's user
-        # namespace and thus CAP_NET_BIND_SERVICE has no effect.
-        PrivateUsers = (cfg.port >= 1024);
-      };
+      serviceConfig =
+        {
+          ExecStart = [
+            ""
+            "${lib.getExe cfg.package} ${args}"
+          ];
+        }
+        // (
+          if (cfg.port < 1024) then
+            {
+              AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+              CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+            }
+          else
+            {
+              # A private user cannot have process capabilities on the host's user
+              # namespace and thus CAP_NET_BIND_SERVICE has no effect.
+              PrivateUsers = true;
+            }
+        );
    };

    networking.firewall = mkIf cfg.openFirewall {