From 3b8aedd5021b4e4c06bff847c6f7aaa6871c17b2 Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Mon, 6 Apr 2026 13:36:38 -0400
Subject: [PATCH] fix hardened kernel with nix sandbox

---
 modules/security.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/modules/security.nix b/modules/security.nix
index f1bebcd..52d0a28 100644
--- a/modules/security.nix
+++ b/modules/security.nix
@@ -13,6 +13,12 @@
   # disable coredumps
   systemd.coredump.enable = false;
 
+  # The hardened kernel defaults kernel.unprivileged_userns_clone to 0, which
+  # prevents the Nix sandbox from mapping UIDs/GIDs. Without this, any derivation
+  # that calls `id` in its build phase (e.g. logrotate checkPhase) fails when not
+  # served from the binary cache. See https://github.com/NixOS/nixpkgs/issues/287194
+  security.unprivilegedUsernsClone = true;
+
   services = {
     dbus.implementation = "broker";
     /*