Skip to content

Commit

Permalink
fix: disable failing logrotate checks to accomodate hardened machines (
Browse files Browse the repository at this point in the history 
…#160)

Disabling user namespaces causes a logrotate configuration check
to fail. In order to build logrotate configurations and thus NixOS
systems on such machines, we need to disable the check.
As we cannot vary the configuration by the build machine, we
must globally disable it.
  • Loading branch information
@NoRePercussions
NoRePercussions authored Dec 25, 2024
1 parent 3263d98 commit 4fac572
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions hosts/common/nixos/cis-hardening.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,12 @@

# This is required by podman to run containers in rootless mode.
security.unprivilegedUsernsClone = config.virtualisation.containers.enable;
# Disabling user namespaces causes a logrotate configuration check
# to fail. In order to build logrotate configurations and thus NixOS
# systems on such machines, we need to disable the check.
# As we cannot vary the configuration by the build machine, we
# must globally disable it.
services.logrotate.checkConfig = false;

security.virtualisation.flushL1DataCache = "always";

Expand Down

0 comments on commit 4fac572

Please sign in to comment.