pyrox.dev / nixpkgs
lol
fork atom

audit: Disable in containers

This barfs:

Jan 18 12:46:32 machine 522i0x9l80z7gw56iahxjjsdjp0xi10q-audit-start[506]: The audit system is disabled

Eelco Dolstra 2352e258 981e8d55

options
unified split
Changed files
+6 -1
nixos
modules
security
audit.nix
virtualisation
container-config.nix
+3 -1
nixos/modules/security/audit.nix 
···

       
93

       
 

       



     

       
94

       
 

       
  config = mkIf (cfg.enable == "lock" || cfg.enable) {


     

       
95

       
 

       
    systemd.services.audit = {


     

       
96

       
-

       
      description = "pseudo-service representing the kernel audit state";


     

       
97

       
 

       
      wantedBy = [ "basic.target" ];


     

       

       

       
     

       

       

       
     

       
98

       
 

       



     

       
99

       
 

       
      path = [ pkgs.audit ];


     

       
100

       
 

       



     
···

       
93

       
 

       



     

       
94

       
 

       
  config = mkIf (cfg.enable == "lock" || cfg.enable) {


     

       
95

       
 

       
    systemd.services.audit = {


     

       
96

       
+

       
      description = "Kernel Auditing";


     

       
97

       
 

       
      wantedBy = [ "basic.target" ];


     

       
98

       
+

       



     

       
99

       
+

       
      unitConfig.ConditionVirtualization = "!container";


     

       
100

       
 

       



     

       
101

       
 

       
      path = [ pkgs.audit ];


     

       
102
+3
nixos/modules/virtualisation/container-config.nix 
···

       
19

       
 

       
    # Shut up warnings about not having a boot loader.


     

       
20

       
 

       
    system.build.installBootLoader = "${pkgs.coreutils}/bin/true";


     

       
21

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       
22

       
 

       
  };


     

       
23

       
 

       



     

       
24

       
 

       
}


     
···

       
19

       
 

       
    # Shut up warnings about not having a boot loader.


     

       
20

       
 

       
    system.build.installBootLoader = "${pkgs.coreutils}/bin/true";


     

       
21

       
 

       



     

       
22

       
+

       
    # Not supported in systemd-nspawn containers.


     

       
23

       
+

       
    security.audit.enable = false;


     

       
24

       
+

       



     

       
25

       
 

       
  };


     

       
26

       
 

       



     

       
27

       
 

       
}