From 30be9ada2486b92c39ddc464676f028dce980b55 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Tue, 13 Jan 2026 13:55:34 +0100
Subject: gitignore: fix bug introduced by 68d3c92

---
 krebs/3modules/setuid.nix | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'krebs/3modules/setuid.nix')

diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix
index ce41548ae..d13fcccaa 100644
--- a/krebs/3modules/setuid.nix
+++ b/krebs/3modules/setuid.nix
@@ -33,7 +33,7 @@ let
         };
         capabilities = mkOption {
           default = [];
-          type = types.listOf types.str;
+          type = types.listOf types.str; # TODO
         };
         owner = mkOption {
           default = "root";
@@ -52,6 +52,8 @@ let
             merge = mergeOneOption;
           };
         };
+        # TODO clear non-standard wrapperDirs
+        # TODO? allow only wrapperDirs below /run/wrappers?
         wrapperDir = mkOption {
           default = config.security.wrapperDir;
           type = types.absolute-pathname;
@@ -73,13 +75,16 @@ let
         chown ${cfg.owner}:${cfg.group} ${dst}
         chmod ${cfg.mode} ${dst}
         ${optionalString (cfg.capabilities != []) /* sh */ ''
+          set -x
           ${pkgs.libcap.out}/bin/setcap ${concatMapStringsSep "," shell.escape cfg.capabilities} ${dst}
+          set +x
         ''}
       '';
     }));
   };
 
   imp = {
+    # run after "wrappers" so config.security.wrapperDir can be hijacked.
     systemd.services."krebs.setuid" = {
       wantedBy = [ "suid-sgid-wrappers.service" ];
       after = [ "suid-sgid-wrappers.service" ];
-- 
cgit v1.2.3