titaniumtown/server-config
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix hardened kernel with nix sandbox

Browse Source
This commit is contained in:
Simon Gardling
2026-04-06 13:36:38 -04:00
parent 960259b0d0
commit 3b8aedd502
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
modules/security.nix
View File

@@ -13,6 +13,12 @@
# disable coredumps # disable coredumps
systemd.coredump.enable = false; systemd.coredump.enable = false;
# The hardened kernel defaults kernel.unprivileged_userns_clone to 0, which
# prevents the Nix sandbox from mapping UIDs/GIDs. Without this, any derivation
# that calls `id` in its build phase (e.g. logrotate checkPhase) fails when not
# served from the binary cache. See https://github.com/NixOS/nixpkgs/issues/287194
security.unprivilegedUsernsClone = true;
services = { services = {
dbus.implementation = "broker"; dbus.implementation = "broker";
/* /*