nixos/home-assistant: allow capset with components using ping command

2 years ago · d4061dcc6e
parent a6e45b0893
commit d4061dcc6e
1 changed files with 7 additions and 0 deletions
--- a/nixos/modules/services/misc/home-assistant.nix
+++ b/nixos/modules/services/misc/home-assistant.nix
@ -278,6 +278,11 @@ in {
          "bluetooth_tracker"
          "bluetooth_le_tracker"
        ];
+        componentsUsingPing = [
+          # Components that require the capset syscall for the ping wrapper
+          "ping"
+          "wake_on_lan"
+        ];
        componentsUsingSerialDevices = [
          # Components that require access to serial devices (/dev/tty*)
          # List generated from home-assistant documentation:
@ -382,6 +387,8 @@ in {
        SystemCallFilter = [
          "@system-service"
          "~@privileged"
+        ] ++ optionals (any useComponent componentsUsingPing) [
+          "capset"
        ];
        UMask = "0077";
      };