nixos/hardened: simplify script

2024-11-11 15:27:20 +03:00 · 2017-09-10 01:10:29 +02:00 · 2017-09-10 01:10:29 +02:00 · 15a4f9d8ef
commit 15a4f9d8ef
parent 84bd2f4ab0
1 changed files with 2 additions and 2 deletions
--- a/nixos/modules/security/lock-kernel-modules.nix
+++ b/nixos/modules/security/lock-kernel-modules.nix
@ -21,15 +21,15 @@ with lib;
      description = "Disable kernel module loading";

      wantedBy = [ config.systemd.defaultUnit ];
-      after = [ "systemd-udev-settle.service" "firewall.service" "systemd-modules-load.service" ] ++ wantedBy;

-      script = "echo -n 1 > /proc/sys/kernel/modules_disabled";
+      after = [ "systemd-udev-settle.service" "firewall.service" "systemd-modules-load.service" ] ++ wantedBy;

      unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel";

      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
+        ExecStart = "/bin/sh -c 'echo -n 1 >/proc/sys/kernel/modules_disabled'";
      };
    };
  };