TernixTernix
Config (0)

services.reaction.runAsRoot

NixOS option

Whether to run reaction as root. Defaults to false, where an unprivileged reaction user is created. Be sure to give it sufficient permissions. Example config permitting iptables and journalctl use { # allows reading journal logs of processess users.users.reaction.extraGroups = [ "systemd-journal" ]; # allows modifying ip firewall rules systemd.services.reaction.unitConfig.ConditionCapability = "CAP_NET_ADMIN"; systemd.services.reaction.serviceConfig = { CapabilityBoundingSet = [ "CAP_NET_ADMIN" ]; AmbientCapabilities = [ "CAP_NET_ADMIN" ]; }; # optional, if more control over ssh logs is needed services.openssh.settings.LogLevel = lib.mkDefault "VERBOSE"; } # core ipset plugin requires these if running as non-root systemd.services.reaction.serviceConfig = { CapabilityBoundingSet = [ "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_DAC_READ_SEARCH" # for journalctl ]; AmbientCapabilities = [ "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_DAC_READ_SEARCH" ]; };

type: boolean
Default
false
declared in: nixos/modules/services/security/reaction.nixView source on NixOS/nixpkgs →