From 95b795dcfd86b7b36045bba67e536b3a1c61dd33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= Date: Sat, 7 Feb 2026 06:52:16 +0100 Subject: [PATCH] fix: remove systemd hardening to allow nix sandbox namespace creation The previous hardening options (ProtectControlGroups, LockPersonality, SystemCallArchitectures, etc.) prevented Nix from creating the kernel namespaces required for build sandboxing. Following the approach of the NixOS auto-upgrade module which has no hardening since nixos-rebuild requires broad system access. Co-Authored-By: Claude Opus 4.5 --- nixos/module.nix | 20 +++----------------- 1 file changed, 3 insertions(+), 17 deletions(-) diff --git a/nixos/module.nix b/nixos/module.nix index 148ab38..07bffc7 100644 --- a/nixos/module.nix +++ b/nixos/module.nix @@ -122,26 +122,12 @@ in Restart = "always"; RestartSec = 10; - # Hardening (compatible with nixos-rebuild requirements) - # Note: Some options are relaxed because nixos-rebuild requires: + # Minimal hardening - nixos-rebuild requires broad system access: # - Write access to /nix/store for building + # - Kernel namespace support for nix sandbox builds # - Ability to activate system configurations # - Network access for fetching from git/cache - # - Namespace support for nix sandbox builds - NoNewPrivileges = false; - ProtectSystem = "false"; - ProtectHome = "read-only"; - PrivateTmp = true; - PrivateDevices = false; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectControlGroups = true; - RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; - RestrictNamespaces = false; - RestrictSUIDSGID = true; - LockPersonality = true; - MemoryDenyWriteExecute = false; - SystemCallArchitectures = "native"; + # Following the approach of nixos auto-upgrade which has no hardening }; }; };