1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00

fix: allow platformio to use @privileged syscalls since linking fails

otherwise (error -31) (it's not root anyway)
This commit is contained in:
oddlama 2023-03-18 02:15:51 +01:00
parent 20e539020c
commit 3b6503f2e2
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
2 changed files with 3 additions and 3 deletions

View file

@ -48,7 +48,6 @@ in {
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = [ SystemCallFilter = [
"@system-service" "@system-service"
"~@privileged"
"@mount" # Required by platformio for chroot "@mount" # Required by platformio for chroot
]; ];
UMask = "0077"; UMask = "0077";
@ -64,6 +63,7 @@ in {
users.groups.esphome.gid = 316; users.groups.esphome.gid = 316;
# TODO esphome.sock permissions pls nginx currently world writable
services.nginx.upstreams = { services.nginx.upstreams = {
"esphome" = { "esphome" = {
servers = {"unix:/run/esphome/esphome.sock" = {};}; servers = {"unix:/run/esphome/esphome.sock" = {};};

View file

@ -79,13 +79,13 @@
serviceConfig = { serviceConfig = {
ExecReload = "/bin/kill -HUP $MAINPID"; ExecReload = "/bin/kill -HUP $MAINPID";
RuntimeDirectory = "hostapd"; RuntimeDirectory = "hostapd";
DeviceAllow = "/dev/rfkill rw";
# Hardening # Hardening
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
DevicePolicy = "closed";
DeviceAllow = "/dev/rfkill rw";
NoNewPrivileges = true; NoNewPrivileges = true;
PrivateDevices = true;
PrivateUsers = false; # hostapd requires real system root access. PrivateUsers = false; # hostapd requires real system root access.
PrivateTmp = true; PrivateTmp = true;
ProtectClock = true; ProtectClock = true;