xray: allow binding lower ports

Set CapabilityBoundingSet, AmbientCapabilities and NoNewPrivileges as described in XTLS/xray-install.
2024-09-20 04:19:00 +02:00 · 2023-06-06 03:12:48 +00:00 · 2023-06-06 03:12:48 +00:00 · e394dc22f9
parent 954d3794ae
commit e394dc22f9
1 changed files with 3 additions and 0 deletions
--- a/nixos/modules/services/networking/xray.nix
+++ b/nixos/modules/services/networking/xray.nix
@ -90,6 +90,9 @@ with lib;
      serviceConfig = {
        DynamicUser = true;
        ExecStart = "${cfg.package}/bin/xray -config ${settingsFile}";
+        CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
+        AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
+        NoNewPrivileges = true;
      };
    };
  };