Merge pull request #6871 from joachifm/apparmor-fixups

Apparmor fixups

1 files changed, 3 insertions, 15 deletions

diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix
index 92f020edce5..4fef62cbffd 100644
--- a/nixos/modules/security/apparmor.nix
+++ b/nixos/modules/security/apparmor.nix
@@ -6,37 +6,26 @@ let
 in
 
 {
-   #### interface
    options = {
-
      security.apparmor = {
-
        enable = mkOption {
          type = types.bool;
          default = false;
          description = "Enable the AppArmor Mandatory Access Control system.";
        };
-
        profiles = mkOption {
          type = types.listOf types.path;
          default = [];
          description = "List of files containing AppArmor profiles.";
        };
-
      };
-
    };
 
-   #### implementation
    config = mkIf cfg.enable {
-
-     environment.systemPackages = [
-       pkgs.apparmor-utils
-     ];
+     environment.systemPackages = [ pkgs.apparmor-utils ];
 
      systemd.services.apparmor = {
        wantedBy = [ "local-fs.target" ];
-
        serviceConfig = {
          Type = "oneshot";
          RemainAfterExit = "yes";
@@ -50,12 +39,11 @@ in
      };
 
      security.pam.services.apparmor.text = ''
-       ## The AppArmor service changes hats according to order: first try
-       ## user, then group, and finally fall back to a hat called "DEFAULT"
+       ## AppArmor changes hats according to `order`: first try user, then
+       ## group, and finally fall back to a hat called "DEFAULT"
        ##
        ## For now, enable debugging as this is an experimental feature.
        session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug
      '';
-
    };
 }