diff --git a/common/tooling/apparmor/aa-alias-module.nix b/common/tooling/apparmor/aa-alias-module.nix index 48539da..32cf1a6 100644 --- a/common/tooling/apparmor/aa-alias-module.nix +++ b/common/tooling/apparmor/aa-alias-module.nix @@ -5,21 +5,29 @@ ... }: let - inherit (lib) getExe; + inherit (lib) getExe mkIf; aa-alias-manager = pkgs.callPackage ./aa-alias-manager-package.nix { }; alias_dir = "/run/aliases.d"; in { - config = { + config = mkIf config.security.apparmor.enable { security.apparmor.includes."tunables/alias.d/store" = '' include if exists "${alias_dir}" ''; systemd.services.aa-alias-setup = { + after = [ "local-fs.target" ]; before = [ "apparmor.service" ]; requiredBy = [ "apparmor.service" ]; + path = [ config.nix.package ]; # respect the users choice to use alternative nix implementations + unitConfig = { + Description = "Initialize alias rules required for AppArmor policies"; + DefaultDependencies = "no"; + ConditionSecurity = "apparmor"; + }; + serviceConfig = { Type = "oneshot"; ExecStart = "${getExe aa-alias-manager} -o ${alias_dir} -p ${./aa-alias-patterns.json}";