fix: remove systemd hardening to allow nix sandbox namespace creation

The previous hardening options (ProtectControlGroups, LockPersonality, SystemCallArchitectures, etc.) prevented Nix from creating the kernel namespaces required for build sandboxing. Following the approach of the NixOS auto-upgrade module which has no hardening since nixos-rebuild requires broad system access. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-07 06:52:16 +01:00
parent 71d6aa8b61
commit 95b795dcfd
1 changed files with 3 additions and 17 deletions
--- a/nixos/module.nix
+++ b/nixos/module.nix
@@ -122,26 +122,12 @@ in
        Restart = "always";
        RestartSec = 10;

-        # Hardening (compatible with nixos-rebuild requirements)
-        # Note: Some options are relaxed because nixos-rebuild requires:
+        # Minimal hardening - nixos-rebuild requires broad system access:
        # - Write access to /nix/store for building
+        # - Kernel namespace support for nix sandbox builds
        # - Ability to activate system configurations
        # - Network access for fetching from git/cache
-        # - Namespace support for nix sandbox builds
-        NoNewPrivileges = false;
-        ProtectSystem = "false";
-        ProtectHome = "read-only";
-        PrivateTmp = true;
-        PrivateDevices = false;
-        ProtectKernelTunables = true;
-        ProtectKernelModules = true;
-        ProtectControlGroups = true;
-        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
-        RestrictNamespaces = false;
-        RestrictSUIDSGID = true;
-        LockPersonality = true;
-        MemoryDenyWriteExecute = false;
-        SystemCallArchitectures = "native";
+        # Following the approach of nixos auto-upgrade which has no hardening
      };
    };
  };