From 6e389e63678fe13660bcc9f708649e64eae6bb05 Mon Sep 17 00:00:00 2001
From: Nick Cao <nickcao@nichi.co>
Date: Sun, 27 Feb 2022 16:19:22 +0800
Subject: [PATCH] nixos/bird: run service as non-root user, add test for reload

---
 nixos/modules/services/networking/bird.nix | 20 +++++++-------------
 nixos/tests/bird.nix                       |  1 +
 2 files changed, 8 insertions(+), 13 deletions(-)

diff --git a/nixos/modules/services/networking/bird.nix b/nixos/modules/services/networking/bird.nix
index 4a5192424819..3049c4f2bce9 100644
--- a/nixos/modules/services/networking/bird.nix
+++ b/nixos/modules/services/networking/bird.nix
@@ -4,6 +4,7 @@ let
   inherit (lib) mkEnableOption mkIf mkOption optionalString types;
 
   cfg = config.services.bird2;
+  caps = [ "CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW" ];
 in
 {
   ###### interface
@@ -72,21 +73,14 @@ in
       serviceConfig = {
         Type = "forking";
         Restart = "on-failure";
-        # We need to start as root so bird can open netlink sockets i.e. for ospf
-        ExecStart = "${pkgs.bird}/bin/bird -c /etc/bird/bird2.conf -u bird2 -g bird2";
-        ExecReload = "/bin/sh -c '${pkgs.bird}/bin/bird -c /etc/bird/bird2.conf -p && ${pkgs.bird}/bin/birdc configure'";
+        User = "bird2";
+        Group = "bird2";
+        ExecStart = "${pkgs.bird}/bin/bird -c /etc/bird/bird2.conf";
+        ExecReload = "${pkgs.bird}/bin/birdc configure";
         ExecStop = "${pkgs.bird}/bin/birdc down";
         RuntimeDirectory = "bird";
-        CapabilityBoundingSet = [
-          "CAP_CHOWN"
-          "CAP_FOWNER"
-          "CAP_SETUID"
-          "CAP_SETGID"
-          "CAP_NET_ADMIN"
-          "CAP_NET_BROADCAST"
-          "CAP_NET_BIND_SERVICE"
-          "CAP_NET_RAW"
-        ];
+        CapabilityBoundingSet = caps;
+        AmbientCapabilities = caps;
         ProtectSystem = "full";
         ProtectHome = "yes";
         ProtectKernelTunables = true;
diff --git a/nixos/tests/bird.nix b/nixos/tests/bird.nix
index befcf4fb8acf..822a7caea9ba 100644
--- a/nixos/tests/bird.nix
+++ b/nixos/tests/bird.nix
@@ -110,6 +110,7 @@ makeTest {
 
     host1.wait_for_unit("bird2.service")
     host2.wait_for_unit("bird2.service")
+    host1.succeed("systemctl reload bird2.service")
 
     with subtest("Waiting for advertised IPv4 routes"):
       host1.wait_until_succeeds("ip --json r | jq -e 'map(select(.dst == \"10.10.0.2\")) | any'")