From 045a24d74ed06f6aa658a131f3980fb8e60938b5 Mon Sep 17 00:00:00 2001
From: Arano-kai <captcha.is.evil@gmail.com>
Date: Wed, 2 Oct 2019 00:36:33 +0300
Subject: [PATCH] Systemd: tun module and capabilities

- Enable (and limit to) capabilities that require to setup tun/tap interface.
- Ensure that tun module is active.
---
 contrib/systemd/yggdrasil.service | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/contrib/systemd/yggdrasil.service b/contrib/systemd/yggdrasil.service
index 37859e79..0223dd90 100644
--- a/contrib/systemd/yggdrasil.service
+++ b/contrib/systemd/yggdrasil.service
@@ -8,6 +8,8 @@ Group=yggdrasil
 ProtectHome=true
 ProtectSystem=true
 SyslogIdentifier=yggdrasil
+CapabilityBoundSet=CAP_NET_ADMIN
+ExecStartPre=+/sbin/modprobe tun
 ExecStartPre=/bin/sh -ec "if ! test -s /etc/yggdrasil.conf; \
                 then umask 077; \
                 yggdrasil -genconf > /etc/yggdrasil.conf; \