diff options
| -rw-r--r-- | nixos/modules/security/misc.nix | 24 |
1 files changed, 13 insertions, 11 deletions
diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index 42f872b7b08..f3fc6db22ea 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -24,16 +24,18 @@ with lib; }; }; - config = mkIf (!config.security.allowUserNamespaces) { - # Setting the number of allowed user namespaces to 0 effectively disables - # the feature at runtime. Note that root may raise the limit again - # at any time. - boot.kernel.sysctl."user.max_user_namespaces" = 0; + config = mkMerge [ + (mkIf (!config.security.allowUserNamespaces) { + # Setting the number of allowed user namespaces to 0 effectively disables + # the feature at runtime. Note that root may raise the limit again + # at any time. + boot.kernel.sysctl."user.max_user_namespaces" = 0; - assertions = [ - { assertion = config.nix.useSandbox -> config.security.allowUserNamespaces; - message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`."; - } - ]; - }; + assertions = [ + { assertion = config.nix.useSandbox -> config.security.allowUserNamespaces; + message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`."; + } + ]; + }) + ]; } |