wg-home-refresh: use the sandboxed wireguard-tools

2024-08-09 23:52:31 +00:00
parent 3d773fe375
commit f986936bbd
1 changed files with 2 additions and 1 deletions
--- a/modules/vpn.nix
+++ b/modules/vpn.nix
@@ -185,7 +185,7 @@ let
      # periodically re-apply peers, to ensure DNS mappings stay fresh
      # borrowed from <repo:nixos/nixpkgs:nixos/modules/services/networking/wireguard.nix>
      wantedBy = [ "network.target" ];
-      path = with pkgs; [ wireguard-tools ];
+      path = [ config.sane.programs.wireguard-tools.package ];
      serviceConfig.Restart = "always";
      serviceConfig.RestartSec = "60"; #< retry delay when we fail (because e.g. there's no network)
      serviceConfig.Type = "simple";
@@ -215,6 +215,7 @@ let
      serviceConfig.SystemCallArchitectures = "native";
      serviceConfig.SystemCallFilter = [
        "@system-service"
+        "@sandbox"
        "~@chown"
        "~@cpu-emulation"
        "~@keyring"