Merge pull request #138516 from rnhmjoj/lock-kernel-fix

nixos/lock-kernel-modules: reorder before/after

2 files changed, 2 insertions, 1 deletions

diff --git a/nixos/modules/security/lock-kernel-modules.nix b/nixos/modules/security/lock-kernel-modules.nix
index 3c4cc69e0e3d..065587bc286e 100644
--- a/nixos/modules/security/lock-kernel-modules.nix
+++ b/nixos/modules/security/lock-kernel-modules.nix
@@ -35,10 +35,10 @@ with lib;
       wants = [ "systemd-udevd.service" ];
       wantedBy = [ config.systemd.defaultUnit ];
 
-      before = [ config.systemd.defaultUnit ];
       after =
         [ "firewall.service"
           "systemd-modules-load.service"
+           config.systemd.defaultUnit
         ];
 
       unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel";
diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix
index a0b629086b5a..b76ae83a3287 100644
--- a/nixos/tests/hardened.nix
+++ b/nixos/tests/hardened.nix
@@ -57,6 +57,7 @@ import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... } : {
       # Test kernel module hardening
       with subtest("No more kernel modules can be loaded"):
           # note: this better a be module we normally wouldn't load ...
+          machine.wait_for_unit("disable-kernel-module-loading.service")
           machine.fail("modprobe dccp")