fix: allow platformio to use @privileged syscalls since linking fails

otherwise (error -31) (it's not root anyway)
2023-03-18 02:15:51 +01:00 · 2023-03-18 02:15:51 +01:00 · 3b6503f2e2
commit 3b6503f2e2
parent 20e539020c
2 changed files with 3 additions and 3 deletions
--- a/hosts/zackbiene/esphome.nix
+++ b/hosts/zackbiene/esphome.nix
@ -48,7 +48,6 @@ in {
      SystemCallArchitectures = "native";
      SystemCallFilter = [
        "@system-service"
-        "~@privileged"
        "@mount" # Required by platformio for chroot
      ];
      UMask = "0077";
@ -64,6 +63,7 @@ in {

  users.groups.esphome.gid = 316;

+  # TODO esphome.sock permissions pls nginx currently world writable
  services.nginx.upstreams = {
    "esphome" = {
      servers = {"unix:/run/esphome/esphome.sock" = {};};
--- a/hosts/zackbiene/hostapd.nix
+++ b/hosts/zackbiene/hostapd.nix
@ -79,13 +79,13 @@
    serviceConfig = {
      ExecReload = "/bin/kill -HUP $MAINPID";
      RuntimeDirectory = "hostapd";
-      DeviceAllow = "/dev/rfkill rw";

      # Hardening
      LockPersonality = true;
      MemoryDenyWriteExecute = true;
+      DevicePolicy = "closed";
+      DeviceAllow = "/dev/rfkill rw";
      NoNewPrivileges = true;
-      PrivateDevices = true;
      PrivateUsers = false; # hostapd requires real system root access.
      PrivateTmp = true;
      ProtectClock = true;