torjus/homelab-deploy
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: disable PrivateDevices to allow nix sandbox namespace creation

Browse Source 
The PrivateDevices=true systemd hardening option was preventing Nix
from creating the kernel namespaces required for its build sandbox.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Torjus Håkestad
2026-02-07 06:26:53 +01:00
parent 2c97b6140c
commit 71d6aa8b61
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/module.nix
View File

@@ -132,7 +132,7 @@ in
ProtectSystem = "false"; ProtectSystem = "false";
ProtectHome = "read-only"; ProtectHome = "read-only";
PrivateTmp = true; PrivateTmp = true;
PrivateDevices = true; PrivateDevices = false;
ProtectKernelTunables = true; ProtectKernelTunables = true;
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectControlGroups = true; ProtectControlGroups = true;