nixpkgs/nixos/tests/chrony.nix
rnhmjoj a432668acf
dhcpcd: disable privsep by default
The priviledge separation mode has several downsides:

  - it's incompatible with alternative memory allocators, including
    graphene-hardened;

  - it needs an unreleased patch to fix a crash;

  - it results in none less than 6 subprocesses running at any time,
    increasing the memory usage;

  - the privileged process (albeit not doing any networking related
    tasks) is still running as root, so it has complete access to the
    system.

Let's disable this by default and instead run dhcpcd as an unpriviledge
user with only the necessary capabilities.
2024-09-16 01:23:54 +02:00

29 lines
746 B
Nix

import ./make-test-python.nix ({ lib, ... }:
{
name = "chrony";
meta = {
maintainers = with lib.maintainers; [ fpletz ];
};
nodes = {
machine = {
services.chrony.enable = true;
specialisation.hardened.configuration = {
services.chrony.enableMemoryLocking = true;
environment.memoryAllocator.provider = "graphene-hardened";
};
};
};
testScript = ''
machine.start()
machine.wait_for_unit('multi-user.target')
machine.succeed('systemctl is-active chronyd.service')
machine.succeed('/run/booted-system/specialisation/hardened/bin/switch-to-configuration test')
machine.succeed('systemctl restart chronyd.service')
machine.wait_for_unit('chronyd.service')
'';
})