From 15a4f9d8efd4418bc748b57aa7df377b1c024974 Mon Sep 17 00:00:00 2001
From: Joachim Fasting <joachifm@fastmail.fm>
Date: Sun, 10 Sep 2017 01:10:29 +0200
Subject: [PATCH] nixos/hardened: simplify script

---
 nixos/modules/security/lock-kernel-modules.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/security/lock-kernel-modules.nix b/nixos/modules/security/lock-kernel-modules.nix
index 260ec3fc946..30fdb1e2bab 100644
--- a/nixos/modules/security/lock-kernel-modules.nix
+++ b/nixos/modules/security/lock-kernel-modules.nix
@@ -21,15 +21,15 @@ with lib;
       description = "Disable kernel module loading";
 
       wantedBy = [ config.systemd.defaultUnit ];
-      after = [ "systemd-udev-settle.service" "firewall.service" "systemd-modules-load.service" ] ++ wantedBy;
 
-      script = "echo -n 1 > /proc/sys/kernel/modules_disabled";
+      after = [ "systemd-udev-settle.service" "firewall.service" "systemd-modules-load.service" ] ++ wantedBy;
 
       unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel";
 
       serviceConfig = {
         Type = "oneshot";
         RemainAfterExit = true;
+        ExecStart = "/bin/sh -c 'echo -n 1 >/proc/sys/kernel/modules_disabled'";
       };
     };
   };