From eaeb8380dcf6b255413af9a0f82f9cd47f37a15e Mon Sep 17 00:00:00 2001 From: Colin Date: Fri, 2 Aug 2024 09:13:55 +0000 Subject: [PATCH] fs: enable @basic-api everywhere, since its required by systemd restart logic --- hosts/common/fs.nix | 2 +- modules/persist/stores/ephemeral.nix | 2 +- modules/persist/stores/private.nix | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts/common/fs.nix b/hosts/common/fs.nix index 05d323d65..01803b32e 100644 --- a/hosts/common/fs.nix +++ b/hosts/common/fs.nix @@ -160,7 +160,7 @@ let mount.mountConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; #VVV this includes anything it reads from, e.g. /bin/sh; /nix/store/... # see `systemd-analyze filesystems` for a full list - mount.mountConfig.RestrictFileSystems = "@common-block devtmpfs fuse"; + mount.mountConfig.RestrictFileSystems = "@common-block @basic-api fuse"; mount.mountConfig.RestrictNamespaces = true; mount.mountConfig.RestrictRealtime = true; mount.mountConfig.RestrictSUIDSGID = true; diff --git a/modules/persist/stores/ephemeral.nix b/modules/persist/stores/ephemeral.nix index 6df669f97..6644bccec 100644 --- a/modules/persist/stores/ephemeral.nix +++ b/modules/persist/stores/ephemeral.nix @@ -69,7 +69,7 @@ lib.mkIf config.sane.persist.enable mount.mountConfig.RestrictAddressFamilies = "AF_UNIX"; # "none" works, but then it can't connect to the logger #VVV this includes anything it reads from, e.g. /bin/sh; /nix/store/... # see `systemd-analyze filesystems` for a full list - mount.mountConfig.RestrictFileSystems = "@common-block devtmpfs fuse pipefs"; + mount.mountConfig.RestrictFileSystems = "@common-block @basic-api fuse pipefs"; mount.mountConfig.RestrictNamespaces = true; mount.mountConfig.RestrictNetworkInterfaces = ""; mount.mountConfig.RestrictRealtime = true; diff --git a/modules/persist/stores/private.nix b/modules/persist/stores/private.nix index 5816a9bff..f28beb39f 100644 --- a/modules/persist/stores/private.nix +++ b/modules/persist/stores/private.nix @@ -131,7 +131,7 @@ lib.mkIf config.sane.persist.enable mount.mountConfig.ProtectHostname = true; mount.mountConfig.RemoveIPC = true; mount.mountConfig.RestrictAddressFamilies = "AF_UNIX"; # "none" works, but then it can't connect to the logger - mount.mountConfig.RestrictFileSystems = "@common-block devtmpfs fuse pipefs"; + mount.mountConfig.RestrictFileSystems = "@common-block @basic-api fuse pipefs"; mount.mountConfig.RestrictNamespaces = true; mount.mountConfig.RestrictNetworkInterfaces = ""; mount.mountConfig.RestrictRealtime = true;