From 2628597e7692ff465d7c575a1c1bfdce35833cad Mon Sep 17 00:00:00 2001
From: Joachim Fasting <joachifm@fastmail.fm>
Date: Sun, 5 Feb 2017 04:46:58 +0100
Subject: [PATCH] cjdns service: allow daemon to drop privileges

The service can run certain components with reduced privileges, but for
that it needs the setuid capability.
---
 nixos/modules/services/networking/cjdns.nix | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/nixos/modules/services/networking/cjdns.nix b/nixos/modules/services/networking/cjdns.nix
index d478e45f9462..12c2677c3368 100644
--- a/nixos/modules/services/networking/cjdns.nix
+++ b/nixos/modules/services/networking/cjdns.nix
@@ -258,8 +258,7 @@ in
         Restart = "always";
         StartLimitInterval = 0;
         RestartSec = 1;
-        CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";
-        AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_RAW";
+        CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID";
         ProtectSystem = true;
         MemoryDenyWriteExecute = true;
         ProtectHome = true;