From fd196452f03f77aea5f2cd5babda21534e3c7f2d Mon Sep 17 00:00:00 2001
From: Dominique Martinet <asmadeus@codewreck.org>
Date: Sun, 6 Sep 2020 17:56:44 +0200
Subject: systemd-confinement: handle ExecStarts etc being lists

systemd-confinement's automatic package extraction does not work correctly
if ExecStarts ExecReload etc are lists.

Add an extra flatten to make things smooth.

Fixes #96840.
---
 nixos/modules/security/systemd-confinement.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/security/systemd-confinement.nix b/nixos/modules/security/systemd-confinement.nix
index 0a400f1d535..2927d424a8a 100644
--- a/nixos/modules/security/systemd-confinement.nix
+++ b/nixos/modules/security/systemd-confinement.nix
@@ -135,7 +135,7 @@ in {
           ];
           execPkgs = lib.concatMap (opt: let
             isSet = config.serviceConfig ? ${opt};
-          in lib.optional isSet config.serviceConfig.${opt}) execOpts;
+          in lib.flatten (lib.optional isSet config.serviceConfig.${opt})) execOpts;
           unitAttrs = toplevelConfig.systemd.units."${name}.service";
           allPkgs = lib.singleton (builtins.toJSON unitAttrs);
           unitPkgs = if fullUnit then allPkgs else execPkgs;
-- 
cgit 1.4.1