jtojnar
commented
3 years ago Currently, the tool can only check packages. Maybe we should have a separate tool for NixOS modules.
I suspect we could just create a module with assertions and import that into the configuration.nix if we wanted to validate system configurations. But if we wanted to validate NixOS module code (e.g. on pull requests), that would be harder. Could we access the non-evaluated child nodes of mkIfs and traverse the whole tree before it is merged into config?
The module system via systemd offers to control the bounding set of capabiltiies for a service.
There is an easy mistake to make setting this to an empty list, which will result in the option not being set at all, resulting in an open capability set.
Instead an empty string should be used, so the option would be set without a value, instead of not at all.
Is this something nixpkgs-hammering could look at?
https://github.com/NixOS/nixpkgs/issues/120617