mirror of
https://github.com/oddlama/nix-config.git
synced 2025-10-11 07:10:39 +02:00
fix: allow platformio to use @privileged syscalls since linking fails
otherwise (error -31) (it's not root anyway)
This commit is contained in:
parent
20e539020c
commit
3b6503f2e2
2 changed files with 3 additions and 3 deletions
|
@ -48,7 +48,6 @@ in {
|
||||||
SystemCallArchitectures = "native";
|
SystemCallArchitectures = "native";
|
||||||
SystemCallFilter = [
|
SystemCallFilter = [
|
||||||
"@system-service"
|
"@system-service"
|
||||||
"~@privileged"
|
|
||||||
"@mount" # Required by platformio for chroot
|
"@mount" # Required by platformio for chroot
|
||||||
];
|
];
|
||||||
UMask = "0077";
|
UMask = "0077";
|
||||||
|
@ -64,6 +63,7 @@ in {
|
||||||
|
|
||||||
users.groups.esphome.gid = 316;
|
users.groups.esphome.gid = 316;
|
||||||
|
|
||||||
|
# TODO esphome.sock permissions pls nginx currently world writable
|
||||||
services.nginx.upstreams = {
|
services.nginx.upstreams = {
|
||||||
"esphome" = {
|
"esphome" = {
|
||||||
servers = {"unix:/run/esphome/esphome.sock" = {};};
|
servers = {"unix:/run/esphome/esphome.sock" = {};};
|
||||||
|
|
|
@ -79,13 +79,13 @@
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecReload = "/bin/kill -HUP $MAINPID";
|
ExecReload = "/bin/kill -HUP $MAINPID";
|
||||||
RuntimeDirectory = "hostapd";
|
RuntimeDirectory = "hostapd";
|
||||||
DeviceAllow = "/dev/rfkill rw";
|
|
||||||
|
|
||||||
# Hardening
|
# Hardening
|
||||||
LockPersonality = true;
|
LockPersonality = true;
|
||||||
MemoryDenyWriteExecute = true;
|
MemoryDenyWriteExecute = true;
|
||||||
|
DevicePolicy = "closed";
|
||||||
|
DeviceAllow = "/dev/rfkill rw";
|
||||||
NoNewPrivileges = true;
|
NoNewPrivileges = true;
|
||||||
PrivateDevices = true;
|
|
||||||
PrivateUsers = false; # hostapd requires real system root access.
|
PrivateUsers = false; # hostapd requires real system root access.
|
||||||
PrivateTmp = true;
|
PrivateTmp = true;
|
||||||
ProtectClock = true;
|
ProtectClock = true;
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue