nixos/home-assistant: allow capset with components using ping command

author: Martin Weinelt <hexa@darmstadt.ccc.de> 2022-01-25 18:29:16 +0100
committer: Martin Weinelt <hexa@darmstadt.ccc.de> 2022-01-25 18:29:16 +0100
commit: d4061dcc6e429510c3ac4e1fc3da34325eed8096 (patch)
tree: 9c174c67d281704b6178fa4069ddd68e3ee630b3 /nixos
parent: a6e45b089318e833f5371fb57d662eb79e3ef770 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/nixos/modules/services/misc/home-assistant.nix b/nixos/modules/services/misc/home-assistant.nix
index 2de25d87ed398..ac4c0222aac3c 100644
--- a/nixos/modules/services/misc/home-assistant.nix
+++ b/nixos/modules/services/misc/home-assistant.nix
@@ -278,6 +278,11 @@ in {
           "bluetooth_tracker"
           "bluetooth_le_tracker"
         ];
+        componentsUsingPing = [
+          # Components that require the capset syscall for the ping wrapper
+          "ping"
+          "wake_on_lan"
+        ];
         componentsUsingSerialDevices = [
           # Components that require access to serial devices (/dev/tty*)
           # List generated from home-assistant documentation:
@@ -382,6 +387,8 @@ in {
         SystemCallFilter = [
           "@system-service"
           "~@privileged"
+        ] ++ optionals (any useComponent componentsUsingPing) [
+          "capset"
         ];
         UMask = "0077";
       };
author	Martin Weinelt <hexa@darmstadt.ccc.de>	2022-01-25 18:29:16 +0100
committer	Martin Weinelt <hexa@darmstadt.ccc.de>	2022-01-25 18:29:16 +0100
commit	d4061dcc6e429510c3ac4e1fc3da34325eed8096 (patch)
tree	9c174c67d281704b6178fa4069ddd68e3ee630b3 /nixos
parent	a6e45b089318e833f5371fb57d662eb79e3ef770 (diff)