diff --git a/collector/flake.go b/collector/flake.go
index e76d9f5..55a7df8 100644
--- a/collector/flake.go
+++ b/collector/flake.go
@@ -191,7 +191,7 @@ func fetchFlakeMetadata(flakeURL string) (*flakeMetadata, error) {
 	output, err := cmd.Output()
 	if err != nil {
 		if exitErr, ok := err.(*exec.ExitError); ok {
-			return nil, fmt.Errorf("nix flake metadata failed: %s", string(exitErr.Stderr))
+			return nil, fmt.Errorf("nix flake metadata failed: %s", strings.TrimSpace(string(exitErr.Stderr)))
 		}
 		return nil, fmt.Errorf("nix flake metadata failed: %w", err)
 	}
diff --git a/module.nix b/module.nix
index 3167015..6edb97b 100644
--- a/module.nix
+++ b/module.nix
@@ -114,7 +114,9 @@ in
         ProtectKernelTunables = true;
         ProtectKernelModules = true;
         ProtectControlGroups = true;
-        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        # AF_UNIX required for nix daemon communication when flake collector enabled
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]
+          ++ lib.optionals cfg.flake.enable [ "AF_UNIX" ];
         RestrictNamespaces = true;
         RestrictRealtime = true;
         RestrictSUIDSGID = true;