From b247c414c4a573dc4edeceb8b8426b5d6545dcfd Mon Sep 17 00:00:00 2001
From: Guanran928 <68757440+Guanran928@users.noreply.github.com>
Date: Thu, 2 May 2024 21:18:58 +0800
Subject: [PATCH] tailscale: apply basic systemd hardening (#306241)

https://github.com/tailscale/tailscale/issues/77
---
 pkgs/servers/tailscale/default.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/pkgs/servers/tailscale/default.nix b/pkgs/servers/tailscale/default.nix
index 20637c70129f..40d832620c3f 100644
--- a/pkgs/servers/tailscale/default.nix
+++ b/pkgs/servers/tailscale/default.nix
@@ -9,6 +9,7 @@
 , shadow
 , procps
 , nixosTests
+, fetchpatch
 }:
 
 let
@@ -26,6 +27,15 @@ buildGoModule {
   };
   vendorHash = "sha256-pYeHqYd2cCOVQlD1r2lh//KC+732H0lj1fPDBr+W8qA=";
 
+  patches = [
+    # Reverts "cmd/tailscaled/tailscaled.service: revert recent hardening"
+    (fetchpatch {
+      url = "https://github.com/tailscale/tailscale/commit/2889fabaefc50040507ead652d6d2b212f476c2b.patch";
+      hash = "sha256-DPBrv7kjSVXhmptUGGzOkaP4iXi/Bym3lvqy4otL9HE=";
+      revert = true;
+    })
+  ];
+
   nativeBuildInputs = lib.optionals stdenv.isLinux [ makeWrapper ];
 
   CGO_ENABLED = 0;