dhcpcd: bring back enablePrivSep option, nixos/release-notes: remove duplicate note (#347578)

2024-11-26 17:03:01 +00:00 · 2024-10-12 13:01:52 +02:00 · 2024-10-12 13:01:52 +02:00 · 3106e48fbc
commit 3106e48fbc
parent 603585479a fb28bba040
2 changed files with 3 additions and 3 deletions
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@ -615,8 +615,6 @@

 - `nixosTests` now provide a working IPv6 setup for VLAN 1 by default.

- `services.dhcpcd` is now started with additional systemd sandbox/hardening options for better security. When using `networking.dhcpcd.runHook` these settings are not applied.
-
 - Kanidm can now be provisioned using the new [`services.kanidm.provision`] option, but requires using a patched version available via `pkgs.kanidm.withSecretProvisioning`.

 - Kanidm previously had an incorrect systemd service type, causing dependent units with an `after` and `requires` directive to start before `kanidm*` finished startup. The module has now been updated in line with upstream recommendations.
--- a/pkgs/tools/networking/dhcpcd/default.nix
+++ b/pkgs/tools/networking/dhcpcd/default.nix
@ -7,6 +7,7 @@
 , runtimeShellPackage
 , runtimeShell
 , nixosTests
+, enablePrivSep ? false
 }:

 stdenv.mkDerivation rec {
@ -39,7 +40,8 @@ stdenv.mkDerivation rec {
    "--localstatedir=/var"
    "--disable-privsep"
    "--dbdir=/var/lib/dhcpcd"
-  ];
+    (lib.enableFeature enablePrivSep "privsep")
+  ] ++ lib.optional enablePrivSep "--privsepuser=dhcpcd";

  makeFlags = [ "PREFIX=${placeholder "out"}" ];