Function( Function { head: Destructured( FunctionHeadDestructured { ellipsis: true, identifier: None, arguments: [ FunctionHeadDestructuredArgument { identifier: "config", default: None, }, FunctionHeadDestructuredArgument { identifier: "lib", default: None, }, ], }, ), body: With( With { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 3, column: 6, }, end: Position { line: 3, column: 9, }, }, }, ), target: Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "meta", span: Span { start: Position { line: 6, column: 3, }, end: Position { line: 6, column: 7, }, }, }, ), ], to: Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "maintainers", span: Span { start: Position { line: 7, column: 5, }, end: Position { line: 7, column: 16, }, }, }, ), ], to: List( List { elements: [ PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "maintainers", span: Span { start: Position { line: 7, column: 21, }, end: Position { line: 7, column: 32, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "joachifm", span: Span { start: Position { line: 7, column: 33, }, end: Position { line: 7, column: 41, }, }, }, ), ], default: None, }, ), ], span: Span { start: Position { line: 7, column: 19, }, end: Position { line: 7, column: 43, }, }, }, ), }, ), ], span: Span { start: Position { line: 6, column: 10, }, end: Position { line: 8, column: 4, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "imports", span: Span { start: Position { line: 10, column: 3, }, end: Position { line: 10, column: 10, }, }, }, ), ], to: List( List { elements: [ FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 11, column: 6, }, end: Position { line: 11, column: 9, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "mkRenamedOptionModule", span: Span { start: Position { line: 11, column: 10, }, end: Position { line: 11, column: 31, }, }, }, ), ], default: None, }, ), arguments: [ List( List { elements: [ String( String_ { parts: [ Raw( PartRaw { content: "security", span: Span { start: Position { line: 11, column: 35, }, end: Position { line: 11, column: 43, }, }, }, ), ], span: Span { start: Position { line: 11, column: 34, }, end: Position { line: 11, column: 44, }, }, }, ), String( String_ { parts: [ Raw( PartRaw { content: "virtualization", span: Span { start: Position { line: 11, column: 46, }, end: Position { line: 11, column: 60, }, }, }, ), ], span: Span { start: Position { line: 11, column: 45, }, end: Position { line: 11, column: 61, }, }, }, ), String( String_ { parts: [ Raw( PartRaw { content: "flushL1DataCache", span: Span { start: Position { line: 11, column: 63, }, end: Position { line: 11, column: 79, }, }, }, ), ], span: Span { start: Position { line: 11, column: 62, }, end: Position { line: 11, column: 80, }, }, }, ), ], span: Span { start: Position { line: 11, column: 32, }, end: Position { line: 11, column: 82, }, }, }, ), List( List { elements: [ String( String_ { parts: [ Raw( PartRaw { content: "security", span: Span { start: Position { line: 11, column: 86, }, end: Position { line: 11, column: 94, }, }, }, ), ], span: Span { start: Position { line: 11, column: 85, }, end: Position { line: 11, column: 95, }, }, }, ), String( String_ { parts: [ Raw( PartRaw { content: "virtualisation", span: Span { start: Position { line: 11, column: 97, }, end: Position { line: 11, column: 111, }, }, }, ), ], span: Span { start: Position { line: 11, column: 96, }, end: Position { line: 11, column: 112, }, }, }, ), String( String_ { parts: [ Raw( PartRaw { content: "flushL1DataCache", span: Span { start: Position { line: 11, column: 114, }, end: Position { line: 11, column: 130, }, }, }, ), ], span: Span { start: Position { line: 11, column: 113, }, end: Position { line: 11, column: 131, }, }, }, ), ], span: Span { start: Position { line: 11, column: 83, }, end: Position { line: 11, column: 133, }, }, }, ), ], }, ), ], span: Span { start: Position { line: 10, column: 13, }, end: Position { line: 12, column: 4, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "options", span: Span { start: Position { line: 14, column: 3, }, end: Position { line: 14, column: 10, }, }, }, ), ], to: Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "security", span: Span { start: Position { line: 15, column: 5, }, end: Position { line: 15, column: 13, }, }, }, ), Raw( PartRaw { content: "allowUserNamespaces", span: Span { start: Position { line: 15, column: 14, }, end: Position { line: 15, column: 33, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: Identifier( Identifier { id: "mkOption", span: Span { start: Position { line: 15, column: 36, }, end: Position { line: 15, column: 44, }, }, }, ), arguments: [ Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "type", span: Span { start: Position { line: 16, column: 7, }, end: Position { line: 16, column: 11, }, }, }, ), ], to: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "types", span: Span { start: Position { line: 16, column: 14, }, end: Position { line: 16, column: 19, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "bool", span: Span { start: Position { line: 16, column: 20, }, end: Position { line: 16, column: 24, }, }, }, ), ], default: None, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "default", span: Span { start: Position { line: 17, column: 7, }, end: Position { line: 17, column: 14, }, }, }, ), ], to: Identifier( Identifier { id: "true", span: Span { start: Position { line: 17, column: 17, }, end: Position { line: 17, column: 21, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "description", span: Span { start: Position { line: 18, column: 7, }, end: Position { line: 18, column: 18, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 18, column: 21, }, end: Position { line: 18, column: 24, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "mdDoc", span: Span { start: Position { line: 18, column: 25, }, end: Position { line: 18, column: 30, }, }, }, ), ], default: None, }, ), arguments: [ IndentedString( IndentedString { parts: [ Raw( PartRaw { content: "Whether to allow creation of user namespaces.\n\nThe motivation for disabling user namespaces is the potential\npresence of code paths where the kernel's permission checking\nlogic fails to account for namespacing, instead permitting a\nnamespaced process to act outside the namespace with the same\nprivileges as it would have inside it. This is particularly\ndamaging in the common case of running as root within the namespace.\n\nWhen user namespace creation is disallowed, attempting to create a\nuser namespace fails with \"no space left on device\" (ENOSPC).\nroot may re-enable user namespace creation at runtime.\n", span: Span { start: Position { line: 19, column: 1, }, end: Position { line: 31, column: 7, }, }, }, ), ], span: Span { start: Position { line: 18, column: 31, }, end: Position { line: 31, column: 9, }, }, }, ), ], }, ), }, ), ], span: Span { start: Position { line: 15, column: 45, }, end: Position { line: 32, column: 6, }, }, }, ), ], }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "security", span: Span { start: Position { line: 34, column: 5, }, end: Position { line: 34, column: 13, }, }, }, ), Raw( PartRaw { content: "unprivilegedUsernsClone", span: Span { start: Position { line: 34, column: 14, }, end: Position { line: 34, column: 37, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: Identifier( Identifier { id: "mkOption", span: Span { start: Position { line: 34, column: 40, }, end: Position { line: 34, column: 48, }, }, }, ), arguments: [ Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "type", span: Span { start: Position { line: 35, column: 7, }, end: Position { line: 35, column: 11, }, }, }, ), ], to: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "types", span: Span { start: Position { line: 35, column: 14, }, end: Position { line: 35, column: 19, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "bool", span: Span { start: Position { line: 35, column: 20, }, end: Position { line: 35, column: 24, }, }, }, ), ], default: None, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "default", span: Span { start: Position { line: 36, column: 7, }, end: Position { line: 36, column: 14, }, }, }, ), ], to: Identifier( Identifier { id: "false", span: Span { start: Position { line: 36, column: 17, }, end: Position { line: 36, column: 22, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "description", span: Span { start: Position { line: 37, column: 7, }, end: Position { line: 37, column: 18, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 37, column: 21, }, end: Position { line: 37, column: 24, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "mdDoc", span: Span { start: Position { line: 37, column: 25, }, end: Position { line: 37, column: 30, }, }, }, ), ], default: None, }, ), arguments: [ IndentedString( IndentedString { parts: [ Raw( PartRaw { content: "When disabled, unprivileged users will not be able to create new namespaces.\nBy default unprivileged user namespaces are disabled.\nThis option only works in a hardened profile.\n", span: Span { start: Position { line: 38, column: 1, }, end: Position { line: 41, column: 7, }, }, }, ), ], span: Span { start: Position { line: 37, column: 31, }, end: Position { line: 41, column: 9, }, }, }, ), ], }, ), }, ), ], span: Span { start: Position { line: 34, column: 49, }, end: Position { line: 42, column: 6, }, }, }, ), ], }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "security", span: Span { start: Position { line: 44, column: 5, }, end: Position { line: 44, column: 13, }, }, }, ), Raw( PartRaw { content: "protectKernelImage", span: Span { start: Position { line: 44, column: 14, }, end: Position { line: 44, column: 32, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: Identifier( Identifier { id: "mkOption", span: Span { start: Position { line: 44, column: 35, }, end: Position { line: 44, column: 43, }, }, }, ), arguments: [ Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "type", span: Span { start: Position { line: 45, column: 7, }, end: Position { line: 45, column: 11, }, }, }, ), ], to: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "types", span: Span { start: Position { line: 45, column: 14, }, end: Position { line: 45, column: 19, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "bool", span: Span { start: Position { line: 45, column: 20, }, end: Position { line: 45, column: 24, }, }, }, ), ], default: None, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "default", span: Span { start: Position { line: 46, column: 7, }, end: Position { line: 46, column: 14, }, }, }, ), ], to: Identifier( Identifier { id: "false", span: Span { start: Position { line: 46, column: 17, }, end: Position { line: 46, column: 22, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "description", span: Span { start: Position { line: 47, column: 7, }, end: Position { line: 47, column: 18, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 47, column: 21, }, end: Position { line: 47, column: 24, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "mdDoc", span: Span { start: Position { line: 47, column: 25, }, end: Position { line: 47, column: 30, }, }, }, ), ], default: None, }, ), arguments: [ IndentedString( IndentedString { parts: [ Raw( PartRaw { content: "Whether to prevent replacing the running kernel image.\n", span: Span { start: Position { line: 48, column: 1, }, end: Position { line: 49, column: 7, }, }, }, ), ], span: Span { start: Position { line: 47, column: 31, }, end: Position { line: 49, column: 9, }, }, }, ), ], }, ), }, ), ], span: Span { start: Position { line: 44, column: 44, }, end: Position { line: 50, column: 6, }, }, }, ), ], }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "security", span: Span { start: Position { line: 52, column: 5, }, end: Position { line: 52, column: 13, }, }, }, ), Raw( PartRaw { content: "allowSimultaneousMultithreading", span: Span { start: Position { line: 52, column: 14, }, end: Position { line: 52, column: 45, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: Identifier( Identifier { id: "mkOption", span: Span { start: Position { line: 52, column: 48, }, end: Position { line: 52, column: 56, }, }, }, ), arguments: [ Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "type", span: Span { start: Position { line: 53, column: 7, }, end: Position { line: 53, column: 11, }, }, }, ), ], to: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "types", span: Span { start: Position { line: 53, column: 14, }, end: Position { line: 53, column: 19, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "bool", span: Span { start: Position { line: 53, column: 20, }, end: Position { line: 53, column: 24, }, }, }, ), ], default: None, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "default", span: Span { start: Position { line: 54, column: 7, }, end: Position { line: 54, column: 14, }, }, }, ), ], to: Identifier( Identifier { id: "true", span: Span { start: Position { line: 54, column: 17, }, end: Position { line: 54, column: 21, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "description", span: Span { start: Position { line: 55, column: 7, }, end: Position { line: 55, column: 18, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 55, column: 21, }, end: Position { line: 55, column: 24, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "mdDoc", span: Span { start: Position { line: 55, column: 25, }, end: Position { line: 55, column: 30, }, }, }, ), ], default: None, }, ), arguments: [ IndentedString( IndentedString { parts: [ Raw( PartRaw { content: "Whether to allow SMT/hyperthreading. Disabling SMT means that only\nphysical CPU cores will be usable at runtime, potentially at\nsignificant performance cost.\n\nThe primary motivation for disabling SMT is to mitigate the risk of\nleaking data between threads running on the same CPU core (due to\ne.g., shared caches). This attack vector is unproven.\n\nDisabling SMT is a supplement to the L1 data cache flushing mitigation\n(see [](#opt-security.virtualisation.flushL1DataCache))\nversus malicious VM guests (SMT could \"bring back\" previously flushed\ndata).\n", span: Span { start: Position { line: 56, column: 1, }, end: Position { line: 68, column: 7, }, }, }, ), ], span: Span { start: Position { line: 55, column: 31, }, end: Position { line: 68, column: 9, }, }, }, ), ], }, ), }, ), ], span: Span { start: Position { line: 52, column: 57, }, end: Position { line: 69, column: 6, }, }, }, ), ], }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "security", span: Span { start: Position { line: 71, column: 5, }, end: Position { line: 71, column: 13, }, }, }, ), Raw( PartRaw { content: "forcePageTableIsolation", span: Span { start: Position { line: 71, column: 14, }, end: Position { line: 71, column: 37, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: Identifier( Identifier { id: "mkOption", span: Span { start: Position { line: 71, column: 40, }, end: Position { line: 71, column: 48, }, }, }, ), arguments: [ Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "type", span: Span { start: Position { line: 72, column: 7, }, end: Position { line: 72, column: 11, }, }, }, ), ], to: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "types", span: Span { start: Position { line: 72, column: 14, }, end: Position { line: 72, column: 19, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "bool", span: Span { start: Position { line: 72, column: 20, }, end: Position { line: 72, column: 24, }, }, }, ), ], default: None, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "default", span: Span { start: Position { line: 73, column: 7, }, end: Position { line: 73, column: 14, }, }, }, ), ], to: Identifier( Identifier { id: "false", span: Span { start: Position { line: 73, column: 17, }, end: Position { line: 73, column: 22, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "description", span: Span { start: Position { line: 74, column: 7, }, end: Position { line: 74, column: 18, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 74, column: 21, }, end: Position { line: 74, column: 24, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "mdDoc", span: Span { start: Position { line: 74, column: 25, }, end: Position { line: 74, column: 30, }, }, }, ), ], default: None, }, ), arguments: [ IndentedString( IndentedString { parts: [ Raw( PartRaw { content: "Whether to force-enable the Page Table Isolation (PTI) Linux kernel\nfeature even on CPU models that claim to be safe from Meltdown.\n\nThis hardening feature is most beneficial to systems that run untrusted\nworkloads that rely on address space isolation for security.\n", span: Span { start: Position { line: 75, column: 1, }, end: Position { line: 80, column: 7, }, }, }, ), ], span: Span { start: Position { line: 74, column: 31, }, end: Position { line: 80, column: 9, }, }, }, ), ], }, ), }, ), ], span: Span { start: Position { line: 71, column: 49, }, end: Position { line: 81, column: 6, }, }, }, ), ], }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "security", span: Span { start: Position { line: 83, column: 5, }, end: Position { line: 83, column: 13, }, }, }, ), Raw( PartRaw { content: "virtualisation", span: Span { start: Position { line: 83, column: 14, }, end: Position { line: 83, column: 28, }, }, }, ), Raw( PartRaw { content: "flushL1DataCache", span: Span { start: Position { line: 83, column: 29, }, end: Position { line: 83, column: 45, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: Identifier( Identifier { id: "mkOption", span: Span { start: Position { line: 83, column: 48, }, end: Position { line: 83, column: 56, }, }, }, ), arguments: [ Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "type", span: Span { start: Position { line: 84, column: 7, }, end: Position { line: 84, column: 11, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "types", span: Span { start: Position { line: 84, column: 14, }, end: Position { line: 84, column: 19, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "nullOr", span: Span { start: Position { line: 84, column: 20, }, end: Position { line: 84, column: 26, }, }, }, ), ], default: None, }, ), arguments: [ FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "types", span: Span { start: Position { line: 84, column: 28, }, end: Position { line: 84, column: 33, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "enum", span: Span { start: Position { line: 84, column: 34, }, end: Position { line: 84, column: 38, }, }, }, ), ], default: None, }, ), arguments: [ List( List { elements: [ String( String_ { parts: [ Raw( PartRaw { content: "never", span: Span { start: Position { line: 84, column: 42, }, end: Position { line: 84, column: 47, }, }, }, ), ], span: Span { start: Position { line: 84, column: 41, }, end: Position { line: 84, column: 48, }, }, }, ), String( String_ { parts: [ Raw( PartRaw { content: "cond", span: Span { start: Position { line: 84, column: 50, }, end: Position { line: 84, column: 54, }, }, }, ), ], span: Span { start: Position { line: 84, column: 49, }, end: Position { line: 84, column: 55, }, }, }, ), String( String_ { parts: [ Raw( PartRaw { content: "always", span: Span { start: Position { line: 84, column: 57, }, end: Position { line: 84, column: 63, }, }, }, ), ], span: Span { start: Position { line: 84, column: 56, }, end: Position { line: 84, column: 64, }, }, }, ), ], span: Span { start: Position { line: 84, column: 39, }, end: Position { line: 84, column: 66, }, }, }, ), ], }, ), ], }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "default", span: Span { start: Position { line: 85, column: 7, }, end: Position { line: 85, column: 14, }, }, }, ), ], to: Identifier( Identifier { id: "null", span: Span { start: Position { line: 85, column: 17, }, end: Position { line: 85, column: 21, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "description", span: Span { start: Position { line: 86, column: 7, }, end: Position { line: 86, column: 18, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "lib", span: Span { start: Position { line: 86, column: 21, }, end: Position { line: 86, column: 24, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "mdDoc", span: Span { start: Position { line: 86, column: 25, }, end: Position { line: 86, column: 30, }, }, }, ), ], default: None, }, ), arguments: [ IndentedString( IndentedString { parts: [ Raw( PartRaw { content: "Whether the hypervisor should flush the L1 data cache before\nentering guests.\nSee also [](#opt-security.allowSimultaneousMultithreading).\n\n- `null`: uses the kernel default\n- `\"never\"`: disables L1 data cache flushing entirely.\n May be appropriate if all guests are trusted.\n- `\"cond\"`: flushes L1 data cache only for pre-determined\n code paths. May leak information about the host address space\n layout.\n- `\"always\"`: flushes L1 data cache every time the hypervisor\n enters the guest. May incur significant performance cost.\n", span: Span { start: Position { line: 87, column: 1, }, end: Position { line: 99, column: 7, }, }, }, ), ], span: Span { start: Position { line: 86, column: 31, }, end: Position { line: 99, column: 9, }, }, }, ), ], }, ), }, ), ], span: Span { start: Position { line: 83, column: 57, }, end: Position { line: 100, column: 6, }, }, }, ), ], }, ), }, ), ], span: Span { start: Position { line: 14, column: 13, }, end: Position { line: 101, column: 4, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "config", span: Span { start: Position { line: 103, column: 3, }, end: Position { line: 103, column: 9, }, }, }, ), ], to: FunctionApplication( FunctionApplication { function: Identifier( Identifier { id: "mkMerge", span: Span { start: Position { line: 103, column: 12, }, end: Position { line: 103, column: 19, }, }, }, ), arguments: [ List( List { elements: [ FunctionApplication( FunctionApplication { function: Identifier( Identifier { id: "mkIf", span: Span { start: Position { line: 104, column: 6, }, end: Position { line: 104, column: 10, }, }, }, ), arguments: [ UnaryOperation( UnaryOperation { operator: Not, operand: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "config", span: Span { start: Position { line: 104, column: 13, }, end: Position { line: 104, column: 19, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "security", span: Span { start: Position { line: 104, column: 20, }, end: Position { line: 104, column: 28, }, }, }, ), Raw( PartRaw { content: "allowUserNamespaces", span: Span { start: Position { line: 104, column: 29, }, end: Position { line: 104, column: 48, }, }, }, ), ], default: None, }, ), span: Span { start: Position { line: 104, column: 12, }, end: Position { line: 104, column: 48, }, }, }, ), Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "boot", span: Span { start: Position { line: 108, column: 7, }, end: Position { line: 108, column: 11, }, }, }, ), Raw( PartRaw { content: "kernel", span: Span { start: Position { line: 108, column: 12, }, end: Position { line: 108, column: 18, }, }, }, ), Raw( PartRaw { content: "sysctl", span: Span { start: Position { line: 108, column: 19, }, end: Position { line: 108, column: 25, }, }, }, ), Expression( PartExpression { expression: String( String_ { parts: [ Raw( PartRaw { content: "user.max_user_namespaces", span: Span { start: Position { line: 108, column: 27, }, end: Position { line: 108, column: 51, }, }, }, ), ], span: Span { start: Position { line: 108, column: 26, }, end: Position { line: 108, column: 52, }, }, }, ), }, ), ], to: Integer( Integer { value: "0", span: Span { start: Position { line: 108, column: 55, }, end: Position { line: 108, column: 56, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "assertions", span: Span { start: Position { line: 110, column: 7, }, end: Position { line: 110, column: 17, }, }, }, ), ], to: List( List { elements: [ Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "assertion", span: Span { start: Position { line: 111, column: 11, }, end: Position { line: 111, column: 20, }, }, }, ), ], to: BinaryOperation( BinaryOperation { left: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "config", span: Span { start: Position { line: 111, column: 23, }, end: Position { line: 111, column: 29, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "nix", span: Span { start: Position { line: 111, column: 30, }, end: Position { line: 111, column: 33, }, }, }, ), Raw( PartRaw { content: "settings", span: Span { start: Position { line: 111, column: 34, }, end: Position { line: 111, column: 42, }, }, }, ), Raw( PartRaw { content: "sandbox", span: Span { start: Position { line: 111, column: 43, }, end: Position { line: 111, column: 50, }, }, }, ), ], default: None, }, ), operator: Implication, right: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "config", span: Span { start: Position { line: 111, column: 54, }, end: Position { line: 111, column: 60, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "security", span: Span { start: Position { line: 111, column: 61, }, end: Position { line: 111, column: 69, }, }, }, ), Raw( PartRaw { content: "allowUserNamespaces", span: Span { start: Position { line: 111, column: 70, }, end: Position { line: 111, column: 89, }, }, }, ), ], default: None, }, ), }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "message", span: Span { start: Position { line: 112, column: 11, }, end: Position { line: 112, column: 18, }, }, }, ), ], to: String( String_ { parts: [ Raw( PartRaw { content: "`nix.settings.sandbox = true` conflicts with `!security.allowUserNamespaces`.", span: Span { start: Position { line: 112, column: 22, }, end: Position { line: 112, column: 99, }, }, }, ), ], span: Span { start: Position { line: 112, column: 21, }, end: Position { line: 112, column: 100, }, }, }, ), }, ), ], span: Span { start: Position { line: 111, column: 9, }, end: Position { line: 113, column: 10, }, }, }, ), ], span: Span { start: Position { line: 110, column: 20, }, end: Position { line: 114, column: 8, }, }, }, ), }, ), ], span: Span { start: Position { line: 104, column: 50, }, end: Position { line: 115, column: 6, }, }, }, ), ], }, ), FunctionApplication( FunctionApplication { function: Identifier( Identifier { id: "mkIf", span: Span { start: Position { line: 117, column: 6, }, end: Position { line: 117, column: 10, }, }, }, ), arguments: [ PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "config", span: Span { start: Position { line: 117, column: 11, }, end: Position { line: 117, column: 17, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "security", span: Span { start: Position { line: 117, column: 18, }, end: Position { line: 117, column: 26, }, }, }, ), Raw( PartRaw { content: "unprivilegedUsernsClone", span: Span { start: Position { line: 117, column: 27, }, end: Position { line: 117, column: 50, }, }, }, ), ], default: None, }, ), Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "boot", span: Span { start: Position { line: 118, column: 7, }, end: Position { line: 118, column: 11, }, }, }, ), Raw( PartRaw { content: "kernel", span: Span { start: Position { line: 118, column: 12, }, end: Position { line: 118, column: 18, }, }, }, ), Raw( PartRaw { content: "sysctl", span: Span { start: Position { line: 118, column: 19, }, end: Position { line: 118, column: 25, }, }, }, ), Expression( PartExpression { expression: String( String_ { parts: [ Raw( PartRaw { content: "kernel.unprivileged_userns_clone", span: Span { start: Position { line: 118, column: 27, }, end: Position { line: 118, column: 59, }, }, }, ), ], span: Span { start: Position { line: 118, column: 26, }, end: Position { line: 118, column: 60, }, }, }, ), }, ), ], to: FunctionApplication( FunctionApplication { function: Identifier( Identifier { id: "mkDefault", span: Span { start: Position { line: 118, column: 63, }, end: Position { line: 118, column: 72, }, }, }, ), arguments: [ Identifier( Identifier { id: "true", span: Span { start: Position { line: 118, column: 73, }, end: Position { line: 118, column: 77, }, }, }, ), ], }, ), }, ), ], span: Span { start: Position { line: 117, column: 51, }, end: Position { line: 119, column: 6, }, }, }, ), ], }, ), FunctionApplication( FunctionApplication { function: Identifier( Identifier { id: "mkIf", span: Span { start: Position { line: 121, column: 6, }, end: Position { line: 121, column: 10, }, }, }, ), arguments: [ PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "config", span: Span { start: Position { line: 121, column: 11, }, end: Position { line: 121, column: 17, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "security", span: Span { start: Position { line: 121, column: 18, }, end: Position { line: 121, column: 26, }, }, }, ), Raw( PartRaw { content: "protectKernelImage", span: Span { start: Position { line: 121, column: 27, }, end: Position { line: 121, column: 45, }, }, }, ), ], default: None, }, ), Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "boot", span: Span { start: Position { line: 123, column: 7, }, end: Position { line: 123, column: 11, }, }, }, ), Raw( PartRaw { content: "kernelParams", span: Span { start: Position { line: 123, column: 12, }, end: Position { line: 123, column: 24, }, }, }, ), ], to: List( List { elements: [ String( String_ { parts: [ Raw( PartRaw { content: "nohibernate", span: Span { start: Position { line: 123, column: 30, }, end: Position { line: 123, column: 41, }, }, }, ), ], span: Span { start: Position { line: 123, column: 29, }, end: Position { line: 123, column: 42, }, }, }, ), ], span: Span { start: Position { line: 123, column: 27, }, end: Position { line: 123, column: 44, }, }, }, ), }, ), KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "boot", span: Span { start: Position { line: 125, column: 7, }, end: Position { line: 125, column: 11, }, }, }, ), Raw( PartRaw { content: "kernel", span: Span { start: Position { line: 125, column: 12, }, end: Position { line: 125, column: 18, }, }, }, ), Raw( PartRaw { content: "sysctl", span: Span { start: Position { line: 125, column: 19, }, end: Position { line: 125, column: 25, }, }, }, ), Expression( PartExpression { expression: String( String_ { parts: [ Raw( PartRaw { content: "kernel.kexec_load_disabled", span: Span { start: Position { line: 125, column: 27, }, end: Position { line: 125, column: 53, }, }, }, ), ], span: Span { start: Position { line: 125, column: 26, }, end: Position { line: 125, column: 54, }, }, }, ), }, ), ], to: FunctionApplication( FunctionApplication { function: Identifier( Identifier { id: "mkDefault", span: Span { start: Position { line: 125, column: 57, }, end: Position { line: 125, column: 66, }, }, }, ), arguments: [ Identifier( Identifier { id: "true", span: Span { start: Position { line: 125, column: 67, }, end: Position { line: 125, column: 71, }, }, }, ), ], }, ), }, ), ], span: Span { start: Position { line: 121, column: 46, }, end: Position { line: 126, column: 6, }, }, }, ), ], }, ), FunctionApplication( FunctionApplication { function: Identifier( Identifier { id: "mkIf", span: Span { start: Position { line: 128, column: 6, }, end: Position { line: 128, column: 10, }, }, }, ), arguments: [ UnaryOperation( UnaryOperation { operator: Not, operand: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "config", span: Span { start: Position { line: 128, column: 13, }, end: Position { line: 128, column: 19, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "security", span: Span { start: Position { line: 128, column: 20, }, end: Position { line: 128, column: 28, }, }, }, ), Raw( PartRaw { content: "allowSimultaneousMultithreading", span: Span { start: Position { line: 128, column: 29, }, end: Position { line: 128, column: 60, }, }, }, ), ], default: None, }, ), span: Span { start: Position { line: 128, column: 12, }, end: Position { line: 128, column: 60, }, }, }, ), Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "boot", span: Span { start: Position { line: 129, column: 7, }, end: Position { line: 129, column: 11, }, }, }, ), Raw( PartRaw { content: "kernelParams", span: Span { start: Position { line: 129, column: 12, }, end: Position { line: 129, column: 24, }, }, }, ), ], to: List( List { elements: [ String( String_ { parts: [ Raw( PartRaw { content: "nosmt", span: Span { start: Position { line: 129, column: 30, }, end: Position { line: 129, column: 35, }, }, }, ), ], span: Span { start: Position { line: 129, column: 29, }, end: Position { line: 129, column: 36, }, }, }, ), ], span: Span { start: Position { line: 129, column: 27, }, end: Position { line: 129, column: 38, }, }, }, ), }, ), ], span: Span { start: Position { line: 128, column: 62, }, end: Position { line: 130, column: 6, }, }, }, ), ], }, ), FunctionApplication( FunctionApplication { function: Identifier( Identifier { id: "mkIf", span: Span { start: Position { line: 132, column: 6, }, end: Position { line: 132, column: 10, }, }, }, ), arguments: [ PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "config", span: Span { start: Position { line: 132, column: 11, }, end: Position { line: 132, column: 17, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "security", span: Span { start: Position { line: 132, column: 18, }, end: Position { line: 132, column: 26, }, }, }, ), Raw( PartRaw { content: "forcePageTableIsolation", span: Span { start: Position { line: 132, column: 27, }, end: Position { line: 132, column: 50, }, }, }, ), ], default: None, }, ), Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "boot", span: Span { start: Position { line: 133, column: 7, }, end: Position { line: 133, column: 11, }, }, }, ), Raw( PartRaw { content: "kernelParams", span: Span { start: Position { line: 133, column: 12, }, end: Position { line: 133, column: 24, }, }, }, ), ], to: List( List { elements: [ String( String_ { parts: [ Raw( PartRaw { content: "pti=on", span: Span { start: Position { line: 133, column: 30, }, end: Position { line: 133, column: 36, }, }, }, ), ], span: Span { start: Position { line: 133, column: 29, }, end: Position { line: 133, column: 37, }, }, }, ), ], span: Span { start: Position { line: 133, column: 27, }, end: Position { line: 133, column: 39, }, }, }, ), }, ), ], span: Span { start: Position { line: 132, column: 51, }, end: Position { line: 134, column: 6, }, }, }, ), ], }, ), FunctionApplication( FunctionApplication { function: Identifier( Identifier { id: "mkIf", span: Span { start: Position { line: 136, column: 6, }, end: Position { line: 136, column: 10, }, }, }, ), arguments: [ BinaryOperation( BinaryOperation { left: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "config", span: Span { start: Position { line: 136, column: 12, }, end: Position { line: 136, column: 18, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "security", span: Span { start: Position { line: 136, column: 19, }, end: Position { line: 136, column: 27, }, }, }, ), Raw( PartRaw { content: "virtualisation", span: Span { start: Position { line: 136, column: 28, }, end: Position { line: 136, column: 42, }, }, }, ), Raw( PartRaw { content: "flushL1DataCache", span: Span { start: Position { line: 136, column: 43, }, end: Position { line: 136, column: 59, }, }, }, ), ], default: None, }, ), operator: NotEqualTo, right: Identifier( Identifier { id: "null", span: Span { start: Position { line: 136, column: 63, }, end: Position { line: 136, column: 67, }, }, }, ), }, ), Map( Map { recursive: false, bindings: [ KeyValue( BindingKeyValue { from: [ Raw( PartRaw { content: "boot", span: Span { start: Position { line: 137, column: 7, }, end: Position { line: 137, column: 11, }, }, }, ), Raw( PartRaw { content: "kernelParams", span: Span { start: Position { line: 137, column: 12, }, end: Position { line: 137, column: 24, }, }, }, ), ], to: List( List { elements: [ String( String_ { parts: [ Raw( PartRaw { content: "kvm-intel.vmentry_l1d_flush=", span: Span { start: Position { line: 137, column: 30, }, end: Position { line: 137, column: 108, }, }, }, ), Interpolation( PartInterpolation { expression: PropertyAccess( PropertyAccess { expression: Identifier( Identifier { id: "config", span: Span { start: Position { line: 137, column: 60, }, end: Position { line: 137, column: 66, }, }, }, ), attribute_path: [ Raw( PartRaw { content: "security", span: Span { start: Position { line: 137, column: 67, }, end: Position { line: 137, column: 75, }, }, }, ), Raw( PartRaw { content: "virtualisation", span: Span { start: Position { line: 137, column: 76, }, end: Position { line: 137, column: 90, }, }, }, ), Raw( PartRaw { content: "flushL1DataCache", span: Span { start: Position { line: 137, column: 91, }, end: Position { line: 137, column: 107, }, }, }, ), ], default: None, }, ), }, ), ], span: Span { start: Position { line: 137, column: 29, }, end: Position { line: 137, column: 109, }, }, }, ), ], span: Span { start: Position { line: 137, column: 27, }, end: Position { line: 137, column: 111, }, }, }, ), }, ), ], span: Span { start: Position { line: 136, column: 69, }, end: Position { line: 138, column: 6, }, }, }, ), ], }, ), ], span: Span { start: Position { line: 103, column: 20, }, end: Position { line: 139, column: 4, }, }, }, ), ], }, ), }, ), ], span: Span { start: Position { line: 5, column: 1, }, end: Position { line: 140, column: 2, }, }, }, ), span: Span { start: Position { line: 3, column: 1, }, end: Position { line: 140, column: 2, }, }, }, ), span: Span { start: Position { line: 1, column: 1, }, end: Position { line: 140, column: 2, }, }, }, )