torjus/homelab-deploy
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: remove systemd hardening to allow nix sandbox namespace creation

Browse Source 
The previous hardening options (ProtectControlGroups, LockPersonality,
SystemCallArchitectures, etc.) prevented Nix from creating the kernel
namespaces required for build sandboxing. Following the approach of
the NixOS auto-upgrade module which has no hardening since nixos-rebuild
requires broad system access.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Torjus Håkestad
2026-02-07 06:52:16 +01:00
parent 71d6aa8b61
commit 95b795dcfd
1 changed files with 3 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
nixos/module.nix
View File

@@ -122,26 +122,12 @@ in
Restart = "always"; Restart = "always";
RestartSec = 10; RestartSec = 10;
# Hardening (compatible with nixos-rebuild requirements) # Minimal hardening - nixos-rebuild requires broad system access:
# Note: Some options are relaxed because nixos-rebuild requires:
# - Write access to /nix/store for building # - Write access to /nix/store for building
# - Kernel namespace support for nix sandbox builds
# - Ability to activate system configurations # - Ability to activate system configurations
# - Network access for fetching from git/cache # - Network access for fetching from git/cache
# - Namespace support for nix sandbox builds # Following the approach of nixos auto-upgrade which has no hardening
NoNewPrivileges = false;
ProtectSystem = "false";
ProtectHome = "read-only";
PrivateTmp = true;
PrivateDevices = false;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
RestrictNamespaces = false;
RestrictSUIDSGID = true;
LockPersonality = true;
MemoryDenyWriteExecute = false;
SystemCallArchitectures = "native";
}; };
}; };
}; };