From d4b957707068190764799d54ed3056cddbef5044 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Fri, 6 Feb 2026 23:33:15 +0100
Subject: [PATCH] fix: allow AF_UNIX sockets for nix daemon communication

The flake collector needs Unix domain sockets to communicate with the
nix daemon. The RestrictAddressFamilies hardening was blocking this.
Also trim trailing newlines from stderr in error messages.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 collector/flake.go | 2 +-
 module.nix         | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/collector/flake.go b/collector/flake.go
index e76d9f5..55a7df8 100644
--- a/collector/flake.go
+++ b/collector/flake.go
@@ -191,7 +191,7 @@ func fetchFlakeMetadata(flakeURL string) (*flakeMetadata, error) {
 	output, err := cmd.Output()
 	if err != nil {
 		if exitErr, ok := err.(*exec.ExitError); ok {
-			return nil, fmt.Errorf("nix flake metadata failed: %s", string(exitErr.Stderr))
+			return nil, fmt.Errorf("nix flake metadata failed: %s", strings.TrimSpace(string(exitErr.Stderr)))
 		}
 		return nil, fmt.Errorf("nix flake metadata failed: %w", err)
 	}
diff --git a/module.nix b/module.nix
index 3167015..6edb97b 100644
--- a/module.nix
+++ b/module.nix
@@ -114,7 +114,9 @@ in
         ProtectKernelTunables = true;
         ProtectKernelModules = true;
         ProtectControlGroups = true;
-        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        # AF_UNIX required for nix daemon communication when flake collector enabled
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]
+          ++ lib.optionals cfg.flake.enable [ "AF_UNIX" ];
         RestrictNamespaces = true;
         RestrictRealtime = true;
         RestrictSUIDSGID = true;