diff --git a/nixosModules/default.nix b/nixosModules/default.nix index c2307e1..ad397d9 100644 --- a/nixosModules/default.nix +++ b/nixosModules/default.nix @@ -80,7 +80,6 @@ in { "systemd-journald.service" "systemd-udevd-kernel.socket" "systemd-udevd-control.socket" - "systemd-udevd.service" "user.slice" ]; upstreamWants = ["multi-user.target.wants"]; @@ -98,6 +97,39 @@ in { systemd.services.systemd-pstore.enable = lib.mkForce false; systemd.services.lastlog2-import.enable = lib.mkForce false; systemd.services.suid-sgid-wrappers.enable = lib.mkForce false; + systemd.services.systemd-udevd = { + # Redefine to remove the Before deps and get out of the critical chain + enable = true; + description = "Rule-based Manager for Device Events and Files"; + unitConfig.DefaultDependencies = "no"; + serviceConfig = { + CapabilityBoundingSet = "~CAP_SYS_TIME CAP_WAKE_ALARM"; + Delegate = ""; + DelegateSubgroup = "udev"; + Type = "notify-reload"; + OOMScoreAdjust = "-1000"; + Sockets = "systemd-udevd-control.socket systemd-udevd-kernel.socket systemd-udevd-varlink.socket"; + Restart = "always"; + RestartSec = "0"; + ExecStart = "${pkgs.systemd}/lib/systemd/systemd-udevd"; + FileDescriptorStoreMax = "512"; + FileDescriptorStorePreserve = "yes"; + KillMode = "mixed"; + TasksMax = "infinity"; + PrivateMounts = "yes"; + ProtectHostname = "yes"; + MemoryDenyWriteExecute = "yes"; + RestrictAddressFamilies = "AF_UNIX AF_NETLINK AF_INET AF_INET6"; + RestrictRealtime = "yes"; + RestrictSUIDSGID = "yes"; + SystemCallFilter = ["@system-service @module @raw-io bpf" "~@clock"]; + SystemCallErrorNumber = "EPERM"; + SystemCallArchitectures = "native"; + LockPersonality = "yes"; + IPAddressDeny = "any"; + WatchdogSec = "3min"; + }; + }; # Configure user accounts # The immutable overlay wants userborn or sysusers.. we just want baked-in files w/o running a service.