nixos/gns3-server: fix ubridge support (#303442)

nixos/doc/manual/release-notes/rl-2411.section.md

@@ -333,6 +333,15 @@
   a static `user` and `group`. The `writablePaths` option has been removed and
   the models directory is now always exempt from sandboxing.
 
+- The `gns3-server` service now runs under the `gns3` system user
+  instead of a dynamically created one via `DynamicUser`.
+  The use of SUID wrappers is incompatible with SystemD's `DynamicUser` setting,
+  and GNS3 requires calling ubridge through its SUID wrapper to function properly.
+  This change requires to manually move the following directories:
+    * from `/var/lib/private/gns3` to `/var/lib/gns3`
+    * from `/var/log/private/gns3` to `/var/log/gns3`
+  and to change the ownership of these directories and their contents to `gns3` (including `/etc/gns3`).
+
 - Legacy package `stalwart-mail_0_6` was dropped, please note the
   [manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md)
   before changing the package to `pkgs.stalwart-mail` in

nixos/modules/services/networking/gns3-server.nix

@@ -129,8 +129,15 @@ in {
       }
     ];
 
+    users.groups.gns3 = { };
+
     users.groups.ubridge = lib.mkIf cfg.ubridge.enable { };
 
+    users.users.gns3 = {
+      group = "gns3";
+      isSystemUser = true;
+    };
+
     security.wrappers.ubridge = lib.mkIf cfg.ubridge.enable {
       capabilities = "cap_net_raw,cap_net_admin=eip";
       group = "ubridge";
@@ -150,7 +157,7 @@ in {
         };
       }
       (lib.mkIf (cfg.ubridge.enable) {
-        Server.ubridge_path = lib.mkDefault (lib.getExe cfg.ubridge.package);
+        Server.ubridge_path = lib.mkDefault "/run/wrappers/bin/ubridge";
       })
       (lib.mkIf (cfg.auth.enable) {
         Server = {
@@ -206,7 +213,6 @@ in {
       serviceConfig = {
         ConfigurationDirectory = "gns3";
         ConfigurationDirectoryMode = "0750";
-        DynamicUser = true;
         Environment = "HOME=%S/gns3";
         ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
         ExecStart = "${lib.getExe cfg.package} ${commandArgs}";
@@ -227,14 +233,27 @@ in {
         User = "gns3";
         WorkingDirectory = "%S/gns3";
 
+        # Required for ubridge integration to work
+        #
+        # GNS3 needs to run SUID binaries (ubridge)
+        # but NoNewPrivileges breaks execution of SUID binaries
+        DynamicUser = false;
+        NoNewPrivileges = false;
+        RestrictSUIDSGID = false;
+        PrivateUsers = false;
+
         # Hardening
-        DeviceAllow = lib.optional flags.enableLibvirtd "/dev/kvm";
+        DeviceAllow = [
+          # ubridge needs access to tun/tap devices
+          "/dev/net/tap rw"
+          "/dev/net/tun rw"
+        ] ++ lib.optionals flags.enableLibvirtd [
+          "/dev/kvm"
+        ];
         DevicePolicy = "closed";
         LockPersonality = true;
         MemoryDenyWriteExecute = true;
-        NoNewPrivileges = true;
         PrivateTmp = true;
-        PrivateUsers = true;
         # Don't restrict ProcSubset because python3Packages.psutil requires read access to /proc/stat
         # ProcSubset = "pid";
         ProtectClock = true;
@@ -255,8 +274,7 @@ in {
         ];
         RestrictNamespaces = true;
         RestrictRealtime = true;
-        RestrictSUIDSGID = true;
+        UMask = "0022";
-        UMask = "0077";
       };
     };
   };