From 71d6aa8b614f557d029bfc2e64375c812ed7bc10 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Sat, 7 Feb 2026 06:26:53 +0100
Subject: [PATCH] fix: disable PrivateDevices to allow nix sandbox namespace
 creation

The PrivateDevices=true systemd hardening option was preventing Nix
from creating the kernel namespaces required for its build sandbox.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 nixos/module.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/module.nix b/nixos/module.nix
index d17a68e..148ab38 100644
--- a/nixos/module.nix
+++ b/nixos/module.nix
@@ -132,7 +132,7 @@ in
         ProtectSystem = "false";
         ProtectHome = "read-only";
         PrivateTmp = true;
-        PrivateDevices = true;
+        PrivateDevices = false;
         ProtectKernelTunables = true;
         ProtectKernelModules = true;
         ProtectControlGroups = true;