benaryorg e434130d0b nixos/systemd: unconditional systemd-journald-audit.socket ... Containers did not have *systemd-journald-audit.socket* in *additionalUpstreamSystemUnits*, which meant that the unit was not provided. However the *wantedBy* was added without any additional check, therefore creating an empty unit with just the *WantedBy* on *boot.isContainer* machines. This caused `systemd-analyze verify` to fail: ```text systemd-journald-audit.socket: Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, ...). Refusing. systemd-journald-audit.socket: Cannot add dependency job, ignoring: Unit systemd-journald-audit.socket has a bad unit file setting. systemd-journald-audit.socket: Cannot add dependency job, ignoring: Unit systemd-journald-audit.socket has a bad unit file setting. ``` The upstream unit already contains the following, which should make it safe to include regardless: ```ini [Unit] ConditionSecurity=audit ConditionCapability=CAP_AUDIT_READ ``` For reference, this popped up in the context of #[360426](https://redirect.github.com/NixOS/nixpkgs/issues/360426) as well as #[407696](https://redirect.github.com/NixOS/nixpkgs/pull/407696). Co-authored-by: Bruce Toll <4109762+tollb@users.noreply.github.com> Signed-off-by: benaryorg <binary@benary.org>		2025-05-18 19:58:59 +00:00
..
activation	nixos/specialisation: escape and restrict specialisation names (#405393)	2025-05-17 19:47:05 +02:00
boot	nixos/systemd: unconditional systemd-journald-audit.socket	2025-05-18 19:58:59 +00:00
etc	nixos/etc-overlay: mount etc with nodev,nosuid (#406397)	2025-05-17 20:32:38 +02:00
build.nix	treewide: format all inactive Nix files	2024-12-10 20:26:33 +01:00