From ae758a85d7a0e3f1c37c6434cfe81f41f9575992 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= <nix@dotlambda.de>
Date: Tue, 17 May 2022 18:12:19 +0000
Subject: [PATCH] nixos/radicale: give access to /dev/urandom

A git command was failing in the test with

    error: unable to get random bytes for temporary file: Operation not permitted
    error: unable to create temporary file: Operation not permitted
    error: .Radicale.lock: failed to insert into database
    error: unable to index file '.Radicale.lock'
---
 nixos/modules/services/networking/radicale.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/services/networking/radicale.nix b/nixos/modules/services/networking/radicale.nix
index c6c40777ed7..227bafc1d0e 100644
--- a/nixos/modules/services/networking/radicale.nix
+++ b/nixos/modules/services/networking/radicale.nix
@@ -164,7 +164,7 @@ in {
         StateDirectoryMode = "0750";
         # Hardening
         CapabilityBoundingSet = [ "" ];
-        DeviceAllow = [ "/dev/stdin" ];
+        DeviceAllow = [ "/dev/stdin" "/dev/urandom" ];
         DevicePolicy = "strict";
         IPAddressAllow = mkIf bindLocalhost "localhost";
         IPAddressDeny = mkIf bindLocalhost "any";