From 0f2160901b259f6cab00b89e434e031a7ec66870 Mon Sep 17 00:00:00 2001
From: Paul Grandperrin <paul.grandperrin@gmail.com>
Date: Tue, 19 Nov 2024 14:43:02 +0100
Subject: [PATCH] nixos-containers: fix enableTun option

When using private users, `mknod /dev/net/tun` is run from the guest and therefor needs the `m` modifier.

(cherry picked from commit 853d34898d84b54977f24e5f1e13d1bcf6972cd8)
---
 nixos/modules/virtualisation/nixos-containers.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/virtualisation/nixos-containers.nix b/nixos/modules/virtualisation/nixos-containers.nix
index 812d22d773e1..cd9f4b3a5d26 100644
--- a/nixos/modules/virtualisation/nixos-containers.nix
+++ b/nixos/modules/virtualisation/nixos-containers.nix
@@ -705,7 +705,7 @@ in
             allowedDevices = mkOption {
               type = with types; listOf (submodule allowedDeviceOpts);
               default = [];
-              example = [ { node = "/dev/net/tun"; modifier = "rw"; } ];
+              example = [ { node = "/dev/net/tun"; modifier = "rwm"; } ];
               description = ''
                 A list of device nodes to which the containers has access to.
               '';
@@ -835,7 +835,7 @@ in
             optionalAttrs cfg.enableTun
               {
                 allowedDevices = cfg.allowedDevices
-                  ++ [ { node = "/dev/net/tun"; modifier = "rw"; } ];
+                  ++ [ { node = "/dev/net/tun"; modifier = "rwm"; } ];
                 additionalCapabilities = cfg.additionalCapabilities
                   ++ [ "CAP_NET_ADMIN" ];
               }