The socket option is valid in socket-activated services only, and requires the relevant socket unit file (see systemd.socket(5) for details) to have Accept=yes set, or to specify a single socket only. If this option is set, standard input will be connected to the socket the service was activated from, which is primarily useful for compatibility with daemons designed for use with the traditional inetd(8) socket activation daemon ($LISTEN_FDS (and related) environment variables are not passed when socket value is configured).

OPERATION
When started with -S, capsudod creates a UNIX domain socket at the specified path and accepts client connections.
When started without -S, capsudod assumes it has been launched by another daemon and serves a single client connection on file descriptor 0. In this mode, capsudod does not create or listen on a socket.
This supports inetd-style and wrapper-based deployment, where an authentication or policy daemon performs access checks and then execs capsudod with the already-connected client socket.

[admin@nixos:~]$ capsudo -S /run/capsudo/id
uid=0(root) gid=0(root) groups=0(root)

[admin@nixos:~]$ systemctl status capsudo-id@0-3-1224_1225-1000.service
× capsudo-id@0-3-1224_1225-1000.service - PID 1224/UID 1000
     Loaded: loaded (/etc/systemd/system/capsudo-id@.service; static)
     Active: failed (Result: exit-code) since Tue 2026-06-16 11:29:29 UTC; 31s ago
   Duration: 5ms
 Invocation: 95cbc49b21394cbf816f4ebf10251d76
TriggeredBy: ● capsudo-id.socket
    Process: 1225 ExecStart=/nix/store/zwrp4y0g6z5apxv38dcilr95b9jav06g-capsudo/bin/capsudod -E -f /nix/store/9ypz3flqsrl5xl495mm8h645gadjsxi1-coreutils-9.11/bin/id (code=exited, status=1/FAILURE)
   Main PID: 1225 (code=exited, status=1/FAILURE)
         IP: 0B in, 0B out
         IO: 0B read, 0B written
   Mem peak: 2M
        CPU: 6ms

Jun 16 11:29:29 nixos systemd[1]: Starting PID 1224/UID 1000...
Jun 16 11:29:29 nixos systemd[1]: Started PID 1224/UID 1000.
Jun 16 11:29:29 nixos systemd[1]: capsudo-id@0-3-1224_1225-1000.service: Main process exited, code=exited, status=1/FAILURE
Jun 16 11:29:29 nixos systemd[1]: capsudo-id@0-3-1224_1225-1000.service: Failed with result 'exit-code'.

[admin@nixos:~]$

The socket option is valid in socket-activated services only, and requires the relevant socket unit file (see systemd.socket(5) for details) to have Accept=yes set, or to specify a single socket only. If this option is set, standard input will be connected to the socket the service was activated from, which is primarily useful for compatibility with daemons designed for use with the traditional inetd(8) socket activation daemon ($LISTEN_FDS (and related) environment variables are not passed when socket value is configured).

OPERATION
When started with -S, capsudod creates a UNIX domain socket at the specified path and accepts client connections.
When started without -S, capsudod assumes it has been launched by another daemon and serves a single client connection on file descriptor 0. In this mode, capsudod does not create or listen on a socket.
This supports inetd-style and wrapper-based deployment, where an authentication or policy daemon performs access checks and then execs capsudod with the already-connected client socket.

[admin@nixos:~]$ capsudo -S /run/capsudo/id
uid=0(root) gid=0(root) groups=0(root)

[admin@nixos:~]$ systemctl status capsudo-id@0-3-1224_1225-1000.service
× capsudo-id@0-3-1224_1225-1000.service - PID 1224/UID 1000
     Loaded: loaded (/etc/systemd/system/capsudo-id@.service; static)
     Active: failed (Result: exit-code) since Tue 2026-06-16 11:29:29 UTC; 31s ago
   Duration: 5ms
 Invocation: 95cbc49b21394cbf816f4ebf10251d76
TriggeredBy: ● capsudo-id.socket
    Process: 1225 ExecStart=/nix/store/zwrp4y0g6z5apxv38dcilr95b9jav06g-capsudo/bin/capsudod -E -f /nix/store/9ypz3flqsrl5xl495mm8h645gadjsxi1-coreutils-9.11/bin/id (code=exited, status=1/FAILURE)
   Main PID: 1225 (code=exited, status=1/FAILURE)
         IP: 0B in, 0B out
         IO: 0B read, 0B written
   Mem peak: 2M
        CPU: 6ms

Jun 16 11:29:29 nixos systemd[1]: Starting PID 1224/UID 1000...
Jun 16 11:29:29 nixos systemd[1]: Started PID 1224/UID 1000.
Jun 16 11:29:29 nixos systemd[1]: capsudo-id@0-3-1224_1225-1000.service: Main process exited, code=exited, status=1/FAILURE
Jun 16 11:29:29 nixos systemd[1]: capsudo-id@0-3-1224_1225-1000.service: Failed with result 'exit-code'.

[admin@nixos:~]$

StandardInput=
Controls where file descriptor 0 (STDIN) of the executed processes is connected to. Takes one of null, tty, tty-force, tty-fail, data, file:path, socket or fd:name.

StandardInput=
Controls where file descriptor 0 (STDIN) of the executed processes is connected to. Takes one of null, tty, tty-force, tty-fail, data, file:path, socket or fd:name.

hexa Unattended Kernel-Upgrades mit Full-Disk Encryption

magst du config danach sharen? wäre interessiert, wie du das machst.

insbesondere, weil mein letzter stand war, dass systemd-pcrenroll in der default-konfiguration wohl nicht das ist, was man will.