From d8d472f72c794638c80675a5accf3f861dd03d0d Mon Sep 17 00:00:00 2001 From: Dorian Date: Tue, 7 Apr 2026 15:57:38 +0100 Subject: [PATCH] =?UTF-8?q?fix:=20nostr-vpn=20service=20=E2=80=94=20set=20?= =?UTF-8?q?HOME,=20create=20dirs,=20remove=20strict=20sandbox?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit nvpn binary writes to $HOME/.config/nvpn. Set HOME to data dir, create runtime dirs in ExecStartPre, remove overly restrictive ProtectSystem/ProtectHome that blocked the binary. Co-Authored-By: Claude Opus 4.6 (1M context) --- image-recipe/configs/nostr-vpn.service | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/image-recipe/configs/nostr-vpn.service b/image-recipe/configs/nostr-vpn.service index df9ebebb..297815d6 100644 --- a/image-recipe/configs/nostr-vpn.service +++ b/image-recipe/configs/nostr-vpn.service @@ -6,7 +6,9 @@ Wants=network-online.target [Service] Type=simple User=root +Environment=HOME=/var/lib/archipelago/nostr-vpn EnvironmentFile=-/var/lib/archipelago/nostr-vpn/env +ExecStartPre=+/bin/bash -c 'mkdir -p /run/nostr-vpn /var/lib/archipelago/nostr-vpn/.config/nvpn' ExecStartPre=/bin/bash -c 'test -f /var/lib/archipelago/nostr-vpn/env || { echo "NostrVPN not configured — waiting for onboarding"; exit 1; }' ExecStart=/usr/local/bin/nvpn daemon Restart=on-failure @@ -14,18 +16,9 @@ RestartSec=10 TimeoutStartSec=30 TimeoutStopSec=10 -# Networking capabilities (required for TUN/WireGuard) -AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE - -# Security hardening -NoNewPrivileges=yes -ProtectSystem=strict -ReadWritePaths=/var/lib/archipelago/nostr-vpn /run/nostr-vpn /dev/net/tun -ProtectHome=yes -PrivateTmp=yes +# Security — runs as root for TUN/WireGuard access +ReadWritePaths=/var/lib/archipelago/nostr-vpn /run/nostr-vpn RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK -RestrictRealtime=yes # Resource limits MemoryMax=256M