services/journald: introduce audit option

We default this option to null ; which is different from upstream which defaults this to true. Defaulting this to true leads to log-spam in /dev/kmesg and thus in our opinion is a bad default https://github.com/systemd/systemd/issues/15324 (cherry picked from commit ff78e34e0b)
2025-07-19 16:40:32 +03:00 · 2025-02-05 15:19:25 +01:00 · 2025-02-05 15:19:25 +01:00 · defd7d0255
commit defd7d0255
parent ed1f15c747
1 changed files with 23 additions and 1 deletions
--- a/nixos/modules/system/boot/systemd/journald.nix
+++ b/nixos/modules/system/boot/systemd/journald.nix
@ -2,6 +2,7 @@
  config,
  lib,
  pkgs,
+  utils,
  ...
 }:
 let
@ -78,6 +79,23 @@ in
      '';
    };

+    services.journald.audit = lib.mkOption {
+      default = null;
+      type = lib.types.nullOr lib.types.bool;
+      description = ''
+        If enabled systemd-journald will turn on auditing on start-up.
+        If disabled it will turn it off. If unset it will neither enable nor disable it, leaving the previous state unchanged.
+
+        NixOS defaults to leaving this unset as enabling audit without auditd running leads to spamming /dev/kmesg with random messages
+        and if you enable auditd then auditd is responsible for turning auditing on.
+
+        If you want to have audit logs in journald and do not mind audit logs also ending up in /dev/kmesg you can set this option to true.
+
+        If you want to for some ununderstandable reason disable auditing if auditd enabled it then you can set this option to false.
+        It is of NixOS' opinion that setting this to false is definitely the wrong thing to do - but it's an option.
+      '';
+    };
+
    services.journald.extraConfig = lib.mkOption {
      default = "";
      type = lib.types.lines;
@ -116,7 +134,10 @@ in
        "syslog.socket"
      ];

-    systemd.sockets.systemd-journald-audit.wantedBy = [ "systemd-journald.service" "sockets.target" ];
+    systemd.sockets.systemd-journald-audit.wantedBy = [
+      "systemd-journald.service"
+      "sockets.target"
+    ];

    environment.etc = {
      "systemd/journald.conf".text = ''
@ -131,6 +152,7 @@ in
        ${lib.optionalString (cfg.forwardToSyslog) ''
          ForwardToSyslog=yes
        ''}
+        Audit=${utils.systemdUtils.lib.toOption cfg.audit}
        ${cfg.extraConfig}
      '';
    };