nixos/netbird: moved login hardening to the hardening section (NixOS#486924)

Author: SuperSandro2000

nixos/modules/services/networking/netbird.nix

@@ -660,46 +660,66 @@ in
         }
       );
 
-      systemd.services = toHardenedClientAttrs (
-        client:
-        nameValuePair client.service.name (
-          mkIf client.hardened {
-            serviceConfig = {
-              RuntimeDirectoryMode = "0750";
-
-              User = client.user.name;
-              Group = client.user.group;
-
-              # settings implied by DynamicUser=true, without actually using it,
-              # see https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#DynamicUser=
-              RemoveIPC = true;
-              PrivateTmp = true;
-              ProtectSystem = "strict";
-              ProtectHome = "yes";
-
-              AmbientCapabilities = [
-                # see https://man7.org/linux/man-pages/man7/capabilities.7.html
-                # see https://docs.netbird.io/how-to/installation#running-net-bird-in-docker
-                #
-                # seems to work fine without CAP_SYS_ADMIN and CAP_SYS_RESOURCE
-                # CAP_NET_BIND_SERVICE could be added to allow binding on low ports, but is not required,
-                #  see https://github.com/netbirdio/netbird/pull/1513
-
-                # failed creating tunnel interface wt-priv: [operation not permitted
-                "CAP_NET_ADMIN"
-                # failed to pull up wgInterface [wt-priv]: failed to create ipv4 raw socket: socket: operation not permitted
-                "CAP_NET_RAW"
-              ]
-              # required for eBPF filter, used to be subset of CAP_SYS_ADMIN
-              ++ optional (versionAtLeast kernel.version "5.8") "CAP_BPF"
-              ++ optional (versionOlder kernel.version "5.8") "CAP_SYS_ADMIN"
-              ++ optional (
-                client.dns-resolver.address != null && client.dns-resolver.port < 1024
-              ) "CAP_NET_BIND_SERVICE";
-            };
-          }
-        )
-      );
+      systemd.services = mkMerge [
+        # netbird services
+        (toHardenedClientAttrs (
+          client:
+          nameValuePair client.service.name (
+            mkIf client.hardened {
+              serviceConfig = {
+                RuntimeDirectoryMode = "0750";
+
+                User = client.user.name;
+                Group = client.user.group;
+
+                # settings implied by DynamicUser=true, without actually using it,
+                # see https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#DynamicUser=
+                RemoveIPC = true;
+                PrivateTmp = true;
+                ProtectSystem = "strict";
+                ProtectHome = "yes";
+
+                AmbientCapabilities = [
+                  # see https://man7.org/linux/man-pages/man7/capabilities.7.html
+                  # see https://docs.netbird.io/how-to/installation#running-net-bird-in-docker
+                  #
+                  # seems to work fine without CAP_SYS_ADMIN and CAP_SYS_RESOURCE
+                  # CAP_NET_BIND_SERVICE could be added to allow binding on low ports, but is not required,
+                  #  see https://github.com/netbirdio/netbird/pull/1513
+
+                  # failed creating tunnel interface wt-priv: [operation not permitted
+                  "CAP_NET_ADMIN"
+                  # failed to pull up wgInterface [wt-priv]: failed to create ipv4 raw socket: socket: operation not permitted
+                  "CAP_NET_RAW"
+                ]
+                # required for eBPF filter, used to be subset of CAP_SYS_ADMIN
+                ++ optional (versionAtLeast kernel.version "5.8") "CAP_BPF"
+                ++ optional (versionOlder kernel.version "5.8") "CAP_SYS_ADMIN"
+                ++ optional (
+                  client.dns-resolver.address != null && client.dns-resolver.port < 1024
+                ) "CAP_NET_BIND_SERVICE";
+              };
+            }
+          )
+        ))
+        # netbird-login services
+        (toHardenedClientAttrs (
+          client:
+          nameValuePair "${client.service.name}-login" (
+            mkIf client.hardened {
+              serviceConfig = {
+                User = client.user.name;
+                Group = client.user.group;
+
+                RemoveIPC = true;
+                PrivateTmp = "disconnected"; # "disconnected" puts /tmp on `tmpfs`
+                ProtectSystem = "strict";
+                ProtectHome = "yes";
+              };
+            }
+          )
+        ))
+      ];
 
       # see https://github.com/systemd/systemd/blob/17f3e91e8107b2b29fe25755651b230bbc81a514/src/resolve/org.freedesktop.resolve1.policy#L43-L43
       # see all actions used at https://github.com/netbirdio/netbird/blob/13e7198046a0d73a9cd91bf8e063fafb3d41885c/client/internal/dns/systemd_linux.go#L29-L32
@@ -736,14 +756,6 @@ in
               Type = "oneshot";
               RemainAfterExit = true;
 
-              User = client.user.name;
-              Group = client.user.group;
-
-              RemoveIPC = true;
-              PrivateTmp = "disconnected"; # "disconnected" puts /tmp on `tmpfs`
-              ProtectSystem = "strict";
-              ProtectHome = "yes";
-
               LoadCredential = [ "setup-key:${client.login.setupKeyFile}" ];
             };