What about adding NET_BIND_SERVICE to the ambient capabilities instead?

Ah, I take it coturn does its own privsep so it's not like it'll end up running as root, right?

I'm not sure what the best practice is here, but I've tested and the server does end up running as turnserver.

I wonder about the ownership of RuntimeDirectory though. Does the privsep fixup the ownership of that directory (to the extent that it is used at all, I've not looked very closely)? Otherwise, this change could introduce a regression wrt. to RuntimeDirectory ownership.

find /run -iname turnserver doesn't turn up anything, and after deleting the RuntimeDirectory directive and redeploying everything still works fine. Perhaps I could remove the directive as part of this PR?

Just to be sure: did you check that while the service was running? The runtime directory is supposed to be tied to the lifetime of the service.

Anyway, I think @Ralith is better suited to review this

The RuntimeDirectory is used to store the service's PID file, and absolutely does get touched. I don't have any knowledge of whether it's needed; if you've verified that it works fine without, then it should probably be removed from the config file, too (and tested again).

I'm also in favor of a capability approach rather than the big hammer that is root, unless there's some reason that won't work.

My bad, the RuntimeDirectory is of course created. I've updated the PR to use ambient capabilities as you suggest, and tested to confirm that port binding succeeeds. I only just read up on the linux capability saga, so let me know if there's anything else I need to do here.

A possible improvement is to augment ambient capabilities only when configured to use a privileged port.

Great suggestion @joachifm, I've updated the PR to do this. BTW I'm loving nixops, this kind of thing would have been a pain with ansible!

Would you prefer that I squished the commits together?

Thanks, I've fixed both.

OK, squashed and rebased to latest master

Sorry to mention this so late, but it just occurred to me that you could create the runtime dir with the appropriate ownership via preStart if you preferred to use the builtin privsep thing.

Actually, using AmbientCapabalities works great, and avoids using root so I think this is a good solution. Thanks for all the advice, I've definitely learned more about linux doing this PR!

Merging due to maintainer approval. Thank you.