nixos/chrony: add enableMemoryLocking option

Fixes #222629.
author: Franz Pletz <fpletz@fnordicwalking.de> 2023-08-10 01:40:47 +0200
committer: Franz Pletz <fpletz@fnordicwalking.de> 2023-08-10 03:03:53 +0200
commit: c13c1412bfeacf3df757a82476a57f8c3d2c2ba5 (patch)
tree: d3f0e2226f4fc78251812a9283b792dc9bcc2a9c
parent: cef068f3b3b0a9fdd68c45adc6847220ab988727 (diff)
1 files changed, 13 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/ntp/chrony.nix b/nixos/modules/services/networking/ntp/chrony.nix
index 2d421abc8be79..afd721e34da5a 100644
--- a/nixos/modules/services/networking/ntp/chrony.nix
+++ b/nixos/modules/services/networking/ntp/chrony.nix
@@ -27,7 +27,10 @@ let
     ${cfg.extraConfig}
   '';
 
-  chronyFlags = [ "-n" "-m" "-u" "chrony" "-f" "${configFile}" ] ++ cfg.extraFlags;
+  chronyFlags =
+    [ "-n" "-u" "chrony" "-f" "${configFile}" ]
+    ++ optional cfg.enableMemoryLocking "-m"
+    ++ cfg.extraFlags;
 in
 {
   options = {
@@ -73,6 +76,15 @@ in
         '';
       };
 
+      enableMemoryLocking = mkOption {
+        type = types.bool;
+        default = config.environment.memoryAllocator.provider != "graphene-hardened";
+        defaultText = ''config.environment.memoryAllocator.provider != "graphene-hardened"'';
+        description = lib.mdDoc ''
+          Whether to add the `-m` flag to lock memory.
+        '';
+      };
+
       enableNTS = mkOption {
         type = types.bool;
         default = false;
author	Franz Pletz <fpletz@fnordicwalking.de>	2023-08-10 01:40:47 +0200
committer	Franz Pletz <fpletz@fnordicwalking.de>	2023-08-10 03:03:53 +0200
commit	c13c1412bfeacf3df757a82476a57f8c3d2c2ba5 (patch)
tree	d3f0e2226f4fc78251812a9283b792dc9bcc2a9c
parent	cef068f3b3b0a9fdd68c45adc6847220ab988727 (diff)