fix aa patch

aa_mod.patch

@@ -1,76 +0,0 @@
-diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix
-index a4b3807e4e0f..87a2c2c81feb 100644
---- a/nixos/modules/security/apparmor.nix
-+++ b/nixos/modules/security/apparmor.nix
-@@ -3,15 +3,11 @@
- with lib;
- 
- let
--  inherit (builtins) attrNames head map match readFile;
-+  inherit (builtins) attrNames map match;
-   inherit (lib) types;
-   inherit (config.environment) etc;
-   cfg = config.security.apparmor;
--  mkDisableOption = name: mkEnableOption name // {
--    default = true;
--    example = false;
--  };
--  enabledPolicies = filterAttrs (n: p: p.enable) cfg.policies;
-+  enabledPolicies = filterAttrs (n: p: p.state != "disable") cfg.policies;
- in
- 
- {
-@@ -45,15 +41,30 @@ in
-         description = ''
-           AppArmor policies.
-         '';
--        type = types.attrsOf (types.submodule ({ name, config, ... }: {
-+        type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
-           options = {
--            enable = mkDisableOption "loading of the profile into the kernel";
--            enforce = mkDisableOption "enforcing of the policy or only complain in the logs";
-+            state = mkOption {
-+              description =
-+                "The state of the profile as applied to the system by nix";
-+              type = types.enum [ "disable" "complain" "enforce" ];
-+              # should enforce really be the default?
-+              # the docs state that this should only be used once one is REALLY sure nothing's gonna break
-+              default = "enforce";
-+            };
-+
-             profile = mkOption {
--              description = "The policy of the profile.";
-+              description = "The policy of the profile. Incompatible with path.";
-               type = types.lines;
--              apply = pkgs.writeText name;
-             };
-+
-+            path = mkOption {
-+              type = types.nullOr types.path;
-+              default = null;
-+              description = "A path of a profile to include. Incompatible with profile.";
-+              apply = p: assert (assertMsg ((p != null && !options.profile.isDefined) || (p == null && options.profile.isDefined))
-+                "`security.apparmor.policies.\"${name}\"` must define exactly one of either path or profile.");
-+                  (if (p != null) then p else (pkgs.writeText name config.profile));
-+             };
-           };
-         }));
-         default = {};
-@@ -108,7 +119,7 @@ in
-     environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" (
-       # It's important to put only enabledPolicies here and not all cfg.policies
-       # because aa-remove-unknown reads profiles from all /etc/apparmor.d/*
--      mapAttrsToList (name: p: { inherit name; path = p.profile; }) enabledPolicies ++
-+      mapAttrsToList (name: p: { inherit name; path = p.path; }) enabledPolicies ++
-       mapAttrsToList (name: path: { inherit name path; }) cfg.includes
-     );
-     environment.etc."apparmor/parser.conf".text = ''
-@@ -187,7 +198,7 @@ in
-           xargs --verbose --no-run-if-empty --delimiter='\n' \
-           kill
-         '';
--        commonOpts = p: "--verbose --show-cache ${optionalString (!p.enforce) "--complain "}${p.profile}";
-+        commonOpts = p: "--verbose --show-cache ${optionalString (p.state == "complain") "--complain "}${p.path}";
-         in {
-         Type = "oneshot";
-         RemainAfterExit = "yes";

flake.nix

@@ -53,7 +53,10 @@
     }:
     let
       patches = [
-        ./aa_mod.patch
+        {
+          url = "https://patch-diff.githubusercontent.com/raw/NixOS/nixpkgs/pull/356796.patch";
+          hash = "sha256-nlyqFxvD6O7MDNJxs/9pCRWzo4XvG++Znc3HvDFkiiY=";
+        }
       ];
 
       customNixosSystem =