nixos/confinement: Use prio 100 for RootDirectory
One of the module that already supports the systemd-confinement module is public-inbox. However with the changes to support DynamicUser and ProtectSystem, the module will now fail at runtime if confinement is enabled (it's optional and you'll need to override it via another module). The reason is that the RootDirectory is set to /var/empty in the public-inbox module, which doesn't work well with the InaccessiblePaths directive we now use to support DynamicUser/ProtectSystem. To make this issue more visible, I decided to just change the priority of the RootDirectory option definiton the default override priority so that whenever another different option is defined, we'll get a conflict at evaluation time. Signed-off-by: aszlig <aszlig@nix.build>
This commit is contained in:
parent
0a9cecc35a
commit
e4bd1e8f92
@ -107,7 +107,7 @@ in {
|
||||
serviceConfig = {
|
||||
ReadOnlyPaths = [ "+/" ];
|
||||
RuntimeDirectory = [ "confinement/${mkPathSafeName name}" ];
|
||||
RootDirectory = lib.mkDefault "/run/confinement/${mkPathSafeName name}";
|
||||
RootDirectory = "/run/confinement/${mkPathSafeName name}";
|
||||
InaccessiblePaths = [
|
||||
"-+/run/confinement/${mkPathSafeName name}"
|
||||
];
|
||||
|
Loading…
Reference in New Issue
Block a user