nixos.photoprism: Relax sandbox to allow running exiftool

exiftool is written in Perl which appears to call `chown` as part of startup. This is blocked by the `@privileged` system call group. This causes a failure when changing image orientation. Fixes: https://github.com/NixOS/nixpkgs/issues/249120
2023-08-15 07:58:42 -04:00 · 2023-08-15 07:58:42 -04:00 · 86c67a1f11
parent ea95c09176
commit 86c67a1f11
1 changed files with 1 additions and 1 deletions
--- a/nixos/modules/services/web-apps/photoprism.nix
+++ b/nixos/modules/services/web-apps/photoprism.nix
@ -123,7 +123,7 @@ in
        RestrictNamespaces = true;
        RestrictRealtime = true;
        SystemCallArchitectures = "native";
-        SystemCallFilter = [ "@system-service" "~@privileged @setuid @keyring" ];
+        SystemCallFilter = [ "@system-service" "~@setuid @keyring" ];
        UMask = "0066";
      } // lib.optionalAttrs (cfg.port < 1024) {
        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];