Skip to content

Commit

Permalink
nixos/lock-kernel-modules: use udevadm settle
Browse files Browse the repository at this point in the history
Instead of relying on systemd-udev-settle, which is deprecated,
directly call `udevamd settle` to wait for hardware to settle.
  • Loading branch information
rnhmjoj committed Sep 15, 2021
1 parent ddbbf5d commit dc34788
Showing 1 changed file with 19 additions and 9 deletions.
28 changes: 19 additions & 9 deletions nixos/modules/security/lock-kernel-modules.nix
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{ config, lib, ... }:
{ config, pkgs, lib, ... }:

with lib;

Expand All @@ -13,7 +13,7 @@ with lib;
default = false;
description = ''
Disable kernel module loading once the system is fully initialised.
Module loading is disabled until the next reboot. Problems caused
Module loading is disabled until the next reboot. Problems caused
by delayed module loading can be fixed by adding the module(s) in
question to <option>boot.kernelModules</option>.
'';
Expand All @@ -29,20 +29,30 @@ with lib;
else [ x.fsType ]
else []) config.system.build.fileSystems;

systemd.services.disable-kernel-module-loading = rec {
systemd.services.disable-kernel-module-loading = {
description = "Disable kernel module loading";

wants = [ "systemd-udevd.service" ];
wantedBy = [ config.systemd.defaultUnit ];

after = [ "systemd-udev-settle.service" "firewall.service" "systemd-modules-load.service" ] ++ wantedBy;
before = [ config.systemd.defaultUnit ];
after =
[ "firewall.service"
"systemd-modules-load.service"
];

unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel";

serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "/bin/sh -c 'echo -n 1 >/proc/sys/kernel/modules_disabled'";
};
serviceConfig =
{ Type = "oneshot";
RemainAfterExit = true;
TimeoutSec = 180;
};

script = ''
${pkgs.udev}/bin/udevadm settle
echo -n 1 >/proc/sys/kernel/modules_disabled
'';
};
};
}

0 comments on commit dc34788

Please sign in to comment.