yubikey-agent: fix systemd unit

I was getting problems with the unit failing to start due to NAMESPACE
or CAPABILITIES permissions.

Upstream now provides a systemd unit file in the repo, we should use that
one, and that one works for me.
This commit is contained in:
Philip Potter 2021-04-16 16:19:18 +01:00
parent e019872af8
commit dfb0999f73
2 changed files with 5 additions and 40 deletions

View file

@ -2,13 +2,13 @@
buildGoModule rec {
pname = "yubikey-agent";
version = "0.1.3";
version = "unstable-2021-02-18";
src = fetchFromGitHub {
owner = "FiloSottile";
repo = pname;
rev = "v${version}";
sha256 = "07gix5wrakn4z846zhvl66lzwx58djrfnn6m8v7vc69l9jr3kihr";
rev = "8cadc13d107757f8084d9d2b93ea64ff0c1748e8";
sha256 = "1lklgq9qkqil5s0g56wbhs0vpr9c1bd4ir7bkrjwqj75ygxim8ml";
};
buildInputs =
@ -25,7 +25,7 @@ buildGoModule rec {
substituteInPlace main.go --replace 'notify-send' ${libnotify}/bin/notify-send
'';
vendorSha256 = "128mlsagj3im6h0p0ndhzk29ya47g19im9dldx3nmddf2jlccj2h";
vendorSha256 = "1zx1w2is61471v4dlmr4wf714zqsc8sppik671p7s4fis5vccsca";
doCheck = false;
@ -42,7 +42,7 @@ buildGoModule rec {
# See https://github.com/FiloSottile/yubikey-agent/pull/43
+ lib.optionalString stdenv.isLinux ''
mkdir -p $out/lib/systemd/user
substitute ${./yubikey-agent.service} $out/lib/systemd/user/yubikey-agent.service \
substitute contrib/systemd/user/yubikey-agent.service $out/lib/systemd/user/yubikey-agent.service \
--replace 'ExecStart=yubikey-agent' "ExecStart=$out/bin/yubikey-agent"
'';

View file

@ -1,35 +0,0 @@
[Unit]
Description=Seamless ssh-agent for YubiKeys
Documentation=https://filippo.io/yubikey-agent
[Service]
ExecStart=yubikey-agent -l %t/yubikey-agent/yubikey-agent.sock
ExecReload=/bin/kill -HUP $MAINPID
ProtectSystem=strict
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectControlGroups=yes
ProtectClock=yes
ProtectHostname=yes
PrivateTmp=yes
PrivateDevices=yes
PrivateUsers=yes
IPAddressDeny=any
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
LockPersonality=yes
CapabilityBoundingSet=
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
NoNewPrivileges=yes
KeyringMode=private
UMask=0177
RuntimeDirectory=yubikey-agent
[Install]
WantedBy=default.target