nixos/audit: rename service to audit-rules-nixos to avoid collisions with the upstream unit

2025-09-11 09:50:00 +02:00
parent c98add0012
commit 1884f0fa52
2 changed files with 7 additions and 4 deletions
--- a/nixos/modules/security/audit.nix
+++ b/nixos/modules/security/audit.nix
@@ -95,7 +95,10 @@ in

    environment.systemPackages = [ pkgs.audit ];

-    systemd.services.audit-rules = {
+    # upstream contains a audit-rules.service, which uses augenrules.
+    # That script does not handle cleanup correctly and insists on loading from /etc/audit.
+    # So, instead we have our own service for loading rules.
+    systemd.services.audit-rules-nixos = {
      description = "Load Audit Rules";
      wantedBy = [ "sysinit.target" ];
      before = [
--- a/nixos/tests/audit.nix
+++ b/nixos/tests/audit.nix
@@ -31,7 +31,7 @@
  };

  testScript = ''
-    machine.wait_for_unit("audit-rules.service")
+    machine.wait_for_unit("audit-rules-nixos.service")
    machine.wait_for_unit("auditd.service")

    with subtest("Audit subsystem gets enabled"):
@@ -46,8 +46,8 @@
      machine.succeed("hello")
      print(machine.succeed("ausearch -k nixos-test -sc exit_group"))

-    with subtest("Stopping audit-rules.service disables the audit subsystem"):
-      machine.succeed("systemctl stop audit-rules.service")
+    with subtest("Stopping audit-rules-nixos.service disables the audit subsystem"):
+      machine.succeed("systemctl stop audit-rules-nixos.service")
      t.assertIn("enabled 0", machine.succeed("auditctl -s"))
  '';