adguardhome][main] adguardhome: add sysusers, correct service, make homedir

Robin Candau (@antiz) Mon, 26 Jan 2026 12:12:22 -0800


Robin Candau pushed to branch main at Arch Linux / Packaging / Packages / 
adguardhome



Commits:
45357d82 by John Audia at 2026-01-26T21:08:18+01:00
adguardhome: add sysusers, correct service, make homedir

Add a sysusers file to create a persistent adguardhome user and switch the
service away from DynamicUser= in favor of an explicit User= entry.

The systemd service has been corrected to use the appropriate Linux
capabilities. The previous unit incorrectly granted CAP_NET_RAW, which
AdGuardHome does not use for either DNS or DHCP AFAIK.
The service now grants CAP_NET_BIND_SERVICE for binding privileged DNS and
HTTPS ports and CAP_NET_ADMIN for DHCP functionality, matching guidance in
the Linux capability documentation (man 7 capabilities, man 7 packet) and
consistent with AdGuardHome’s DHCP implementation, which relies on packet
sockets and interface operations rather than raw ICMP.

Added a post_install msg to advertise dropping privileges for DNS-only
use cases.

Signed-off-by: John Audia <[email protected]>

- - - - -


5 changed files:

- .SRCINFO
- PKGBUILD
- + adguardhome.install
- adguardhome.service
- + adguardhome.sysusers


Changes:

=====================================
.SRCINFO
=====================================
@@ -4,6 +4,7 @@ pkgbase = adguardhome
        pkgrel = 1
        epoch = 1
        url = https://github.com/AdguardTeam/AdGuardHome
+       install = adguardhome.install
        arch = x86_64
        license = GPL-2.0-only
        makedepends = go
@@ -13,7 +14,9 @@ pkgbase = adguardhome
        depends = glibc
        source = 
adguardhome-0.107.71.tar.gz::https://github.com/AdguardTeam/AdGuardHome/archive/v0.107.71.tar.gz
        source = adguardhome.service
+       source = adguardhome.sysusers
        b2sums = 
2619d0fbe8e6e4e67df6bc4898c7b1f5fec2885614b1a3b4b9b53a14268b0dfaf6d2a8748d6eb9629b0a5717dfb65c43b64c1b09230f8bd975e7143bacfff683
-       b2sums = 
161152f91e09fe491db631eb6ed603c0c975453b682467945fdade6091bf427ec932230f3a10e40e2f054dc01567930ecc27343c04882fb0e736b4f6becc96da
+       b2sums = 
681476e8814120da4903d0766e9dd28931741247cac58e74fbb2218092b2b513045fbf0c33745e68d8c35e7a2c3e29cdd3f1e95221137b753d7aaf3a56a2f514
+       b2sums = 
39c0caacf9261d1be4668086701b4b207ec63f40f575dd322bdb37b1e6796ab89d7bbc56806867ddf11a0c71bcac5f62629518a3065cbcb2eea340ab8272abb4
 
 pkgname = adguardhome


=====================================
PKGBUILD
=====================================
@@ -12,11 +12,14 @@ arch=(x86_64)
 url='https://github.com/AdguardTeam/AdGuardHome'
 license=(GPL-2.0-only)
 source=("$pkgname-$pkgver.tar.gz::$url/archive/v$pkgver.tar.gz"
-        $pkgname.service)
+        $pkgname.service
+        $pkgname.sysusers)
 makedepends=(go nodejs npm git)
 depends=(glibc)
+install=$pkgname.install
 
b2sums=('2619d0fbe8e6e4e67df6bc4898c7b1f5fec2885614b1a3b4b9b53a14268b0dfaf6d2a8748d6eb9629b0a5717dfb65c43b64c1b09230f8bd975e7143bacfff683'
-        
'161152f91e09fe491db631eb6ed603c0c975453b682467945fdade6091bf427ec932230f3a10e40e2f054dc01567930ecc27343c04882fb0e736b4f6becc96da')
+        
'681476e8814120da4903d0766e9dd28931741247cac58e74fbb2218092b2b513045fbf0c33745e68d8c35e7a2c3e29cdd3f1e95221137b753d7aaf3a56a2f514'
+        
'39c0caacf9261d1be4668086701b4b207ec63f40f575dd322bdb37b1e6796ab89d7bbc56806867ddf11a0c71bcac5f62629518a3065cbcb2eea340ab8272abb4')
 
 prepare() {
   cd $_name-$pkgver
@@ -43,6 +46,7 @@ build() {
 package() {
   install -Dm755 $_name-$pkgver/$pkgname "$pkgdir"/usr/bin/$pkgname
   install -Dm644 $pkgname.service 
"$pkgdir"/usr/lib/systemd/system/$pkgname.service
+  install -Dm644 $pkgname.sysusers "$pkgdir"/usr/lib/sysusers.d/$pkgname.conf
   install -dm755 "$pkgdir"/etc
   ln -s /var/lib/$pkgname/$_name.yaml "$pkgdir"/etc/$pkgname.yaml
 }


=====================================
adguardhome.install
=====================================
@@ -0,0 +1,18 @@
+_msg() {
+  cat <<END
+>>> If you're not using Adguardhome DHCP feature, consider dropping
+    CAP_NET_ADMIN privileges from adguardhome.service via a drop-in file
+
+    See: https://wiki.archlinux.org/title/Systemd#Drop-in_files
+END
+}
+
+post_install() {
+  _msg
+}
+
+post_upgrade() {
+  if (( $(vercmp "$2" 0.107.71-2) < 0 )); then
+    _msg
+  fi
+}


=====================================
adguardhome.service
=====================================
@@ -3,11 +3,12 @@ Description=AdGuard Home: Network-level blocker
 After=syslog.target network-online.target
 
 [Service]
-DynamicUser=true
+User=adguardhome
 StateDirectory=adguardhome
+StateDirectoryMode=0750
 WorkingDirectory=/var/lib/adguardhome
-AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
 ExecStart=/usr/bin/adguardhome -w /var/lib/adguardhome -l syslog
 
 PrivateTmp=true


=====================================
adguardhome.sysusers
=====================================
@@ -0,0 +1 @@
+u! adguardhome - "adguardhome user" /var/lib/adguardhome



View it on GitLab: 
https://gitlab.archlinux.org/archlinux/packaging/packages/adguardhome/-/commit/45357d827536f15aa731623b301e49283939f242

-- 
View it on GitLab: 
https://gitlab.archlinux.org/archlinux/packaging/packages/adguardhome/-/commit/45357d827536f15aa731623b301e49283939f242
You're receiving this email because of your account on gitlab.archlinux.org.

[Git][archlinux/packaging/packages/adguardhome][main] adguardhome: add sysusers, correct service, make homedir

Reply via email to