summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--nixos/modules/config/sysctl.nix5
-rw-r--r--nixos/modules/services/audio/alsa.nix1
-rw-r--r--nixos/modules/services/hardware/acpid.nix1
-rw-r--r--nixos/modules/services/logging/klogd.nix2
-rw-r--r--nixos/modules/services/misc/nix-daemon.nix3
-rw-r--r--nixos/modules/services/networking/dhcpcd.nix2
-rw-r--r--nixos/modules/system/boot/kernel.nix5
-rw-r--r--nixos/modules/system/boot/shutdown.nix28
-rw-r--r--nixos/modules/tasks/cpu-freq.nix2
-rw-r--r--nixos/modules/tasks/network-interfaces.nix2
-rw-r--r--nixos/modules/tasks/scsi-link-power-management.nix2
11 files changed, 37 insertions, 16 deletions
diff --git a/nixos/modules/config/sysctl.nix b/nixos/modules/config/sysctl.nix
index f987c9c9e94..8f9b31dccff 100644
--- a/nixos/modules/config/sysctl.nix
+++ b/nixos/modules/config/sysctl.nix
@@ -46,7 +46,10 @@ in
         before = [ "sysinit.target" "shutdown.target" ];
         wantedBy = [ "sysinit.target" "multi-user.target" ];
         restartTriggers = [ config.environment.etc."sysctl.d/nixos.conf".source ];
-        unitConfig.DefaultDependencies = false; # needed to prevent a cycle
+        unitConfig = {
+          DefaultDependencies = false; # needed to prevent a cycle
+          ConditionPathIsReadWrite = "/proc/sys/"; # prevent systemd-sysctl in containers
+        };
         serviceConfig = {
           Type = "oneshot";
           RemainAfterExit = true;
diff --git a/nixos/modules/services/audio/alsa.nix b/nixos/modules/services/audio/alsa.nix
index d021b8bd3ba..c9a2ef4589b 100644
--- a/nixos/modules/services/audio/alsa.nix
+++ b/nixos/modules/services/audio/alsa.nix
@@ -55,6 +55,7 @@ in
       { description = "Store Sound Card State";
         wantedBy = [ "multi-user.target" ];
         unitConfig.RequiresMountsFor = "/var/lib/alsa";
+        unitConfig.ConditionVirtualization = "!systemd-nspawn";
         serviceConfig = {
           Type = "oneshot";
           RemainAfterExit = true;
diff --git a/nixos/modules/services/hardware/acpid.nix b/nixos/modules/services/hardware/acpid.nix
index adba6394dcf..2329f38dfc2 100644
--- a/nixos/modules/services/hardware/acpid.nix
+++ b/nixos/modules/services/hardware/acpid.nix
@@ -110,6 +110,7 @@ in
 
         exec = "acpid --confdir ${acpiConfDir}";
 
+        unitConfig.ConditionVirtualization = "!systemd-nspawn";
         unitConfig.ConditionPathExists = [ "/proc/acpi" ];
       };
 
diff --git a/nixos/modules/services/logging/klogd.nix b/nixos/modules/services/logging/klogd.nix
index d7d0bbf89a5..36b530d0077 100644
--- a/nixos/modules/services/logging/klogd.nix
+++ b/nixos/modules/services/logging/klogd.nix
@@ -32,6 +32,8 @@ with pkgs.lib;
 
         path = [ pkgs.sysklogd ];
 
+        unitConfig.ConditionVirtualization = "!systemd-nspawn";
+
         exec =
           "klogd -c 1 -2 -n " +
           "-k $(dirname $(readlink -f /run/booted-system/kernel))/System.map";
diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix
index 1707828d0db..1aefe75931b 100644
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@@ -279,6 +279,7 @@ in
       { description = "Nix Daemon Socket";
         wantedBy = [ "sockets.target" ];
         before = [ "multi-user.target" ];
+        unitConfig.ConditionPathIsReadWrite = "/nix/var/nix/daemon-socket/";
         socketConfig.ListenStream = "/nix/var/nix/daemon-socket/socket";
       };
 
@@ -290,6 +291,8 @@ in
 
         environment = cfg.envVars // { CURL_CA_BUNDLE = "/etc/ssl/certs/ca-bundle.crt"; };
 
+        unitConfig.ConditionPathIsReadWrite = "/nix/var/nix/daemon-socket/";
+
         serviceConfig =
           { ExecStart = "@${nix}/bin/nix-daemon nix-daemon --daemon";
             KillMode = "process";
diff --git a/nixos/modules/services/networking/dhcpcd.nix b/nixos/modules/services/networking/dhcpcd.nix
index 07b5606eaca..ea263b3c89d 100644
--- a/nixos/modules/services/networking/dhcpcd.nix
+++ b/nixos/modules/services/networking/dhcpcd.nix
@@ -114,6 +114,8 @@ in
 
         path = [ dhcpcd pkgs.nettools pkgs.openresolv ];
 
+        unitConfig.ConditionCapability = "CAP_NET_ADMIN";
+
         serviceConfig =
           { Type = "forking";
             PIDFile = "/run/dhcpcd.pid";
diff --git a/nixos/modules/system/boot/kernel.nix b/nixos/modules/system/boot/kernel.nix
index 64d4c33c965..c3c38b186bd 100644
--- a/nixos/modules/system/boot/kernel.nix
+++ b/nixos/modules/system/boot/kernel.nix
@@ -231,7 +231,10 @@ in
         wantedBy = [ "sysinit.target" "multi-user.target" ];
         before = [ "sysinit.target" "shutdown.target" ];
         conflicts = [ "shutdown.target" ];
-        unitConfig.DefaultDependencies = "no";
+        unitConfig =
+          { DefaultDependencies = false;
+            ConditionCapability = "CAP_SYS_MODULE";
+          };
         serviceConfig =
           { Type = "oneshot";
             RemainAfterExit = true;
diff --git a/nixos/modules/system/boot/shutdown.nix b/nixos/modules/system/boot/shutdown.nix
index ad71a2e816e..44cadcd64a7 100644
--- a/nixos/modules/system/boot/shutdown.nix
+++ b/nixos/modules/system/boot/shutdown.nix
@@ -6,20 +6,20 @@ with pkgs.lib;
 
   # This unit saves the value of the system clock to the hardware
   # clock on shutdown.
-  systemd.units."save-hwclock.service" =
-    { wantedBy = [ "shutdown.target" ];
-
-      text =
-        ''
-          [Unit]
-          Description=Save Hardware Clock
-          DefaultDependencies=no
-          Before=shutdown.target
-
-          [Service]
-          Type=oneshot
-          ExecStart=${pkgs.utillinux}/sbin/hwclock --systohc ${if config.time.hardwareClockInLocalTime then "--localtime" else "--utc"}
-        '';
+  systemd.services.save-hwclock =
+    { description = "Save Hardware Clock";
+
+      wantedBy = [ "shutdown.target" ];
+
+      unitConfig = {
+        DefaultDependencies = false;
+        ConditionVirtualization = "!systemd-nspawn";
+      };
+
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = "${pkgs.utillinux}/sbin/hwclock --systohc ${if config.time.hardwareClockInLocalTime then "--localtime" else "--utc"}";
+      };
     };
 
   boot.kernel.sysctl."kernel.poweroff_cmd" = "${config.systemd.package}/sbin/poweroff";
diff --git a/nixos/modules/tasks/cpu-freq.nix b/nixos/modules/tasks/cpu-freq.nix
index ce36a8bab09..705ec93a136 100644
--- a/nixos/modules/tasks/cpu-freq.nix
+++ b/nixos/modules/tasks/cpu-freq.nix
@@ -33,6 +33,8 @@ with pkgs.lib;
         after = [ "systemd-modules-load.service" ];
         wantedBy = [ "multi-user.target" ];
 
+        unitConfig.ConditionPathIsReadWrite = "/sys/devices/";
+
         path = [ pkgs.cpufrequtils ];
 
         preStart = ''
diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix
index d8522b6abba..b1ab989f130 100644
--- a/nixos/modules/tasks/network-interfaces.nix
+++ b/nixos/modules/tasks/network-interfaces.nix
@@ -270,6 +270,8 @@ in
             before = [ "network.target" ];
             wantedBy = [ "network.target" ];
 
+            unitConfig.ConditionCapability = "CAP_NET_ADMIN";
+
             path = [ pkgs.iproute ];
 
             serviceConfig.Type = "oneshot";
diff --git a/nixos/modules/tasks/scsi-link-power-management.nix b/nixos/modules/tasks/scsi-link-power-management.nix
index 4927952080f..071a8086598 100644
--- a/nixos/modules/tasks/scsi-link-power-management.nix
+++ b/nixos/modules/tasks/scsi-link-power-management.nix
@@ -31,6 +31,8 @@ with pkgs.lib;
 
         task = true;
 
+        unitConfig.ConditionPathIsReadWrite = "/sys/class/scsi_host";
+
         script = ''
           shopt -s nullglob
           for x in /sys/class/scsi_host/host*/link_power_management_policy; do
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-01 07:10:10 +0000