services.reaction.runAsRoot

Whether to run reaction as root. Defaults to false, where an unprivileged reaction user is created.

Be sure to give it sufficient permissions. Example config permitting iptables and journalctl use

{
  # allows reading journal logs of processess
  users.users.reaction.extraGroups = [ "systemd-journal" ];

  # allows modifying ip firewall rules
  systemd.services.reaction.unitConfig.ConditionCapability = "CAP_NET_ADMIN";
  systemd.services.reaction.serviceConfig = {
    CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
    AmbientCapabilities = [ "CAP_NET_ADMIN" ];
  };

  # optional, if more control over ssh logs is needed
  services.openssh.settings.LogLevel = lib.mkDefault "VERBOSE";
}

Type

boolean

Default

false

Declared

<nixpkgs/nixos/modules/services/security/reaction.nix>