diff --git a/nixos/modules/services/misc/home-assistant.nix b/nixos/modules/services/misc/home-assistant.nix
index 2de25d87ed3..ac4c0222aac 100644
--- a/nixos/modules/services/misc/home-assistant.nix
+++ b/nixos/modules/services/misc/home-assistant.nix
@@ -278,6 +278,11 @@ in {
           "bluetooth_tracker"
           "bluetooth_le_tracker"
         ];
+        componentsUsingPing = [
+          # Components that require the capset syscall for the ping wrapper
+          "ping"
+          "wake_on_lan"
+        ];
         componentsUsingSerialDevices = [
           # Components that require access to serial devices (/dev/tty*)
           # List generated from home-assistant documentation:
@@ -382,6 +387,8 @@ in {
         SystemCallFilter = [
           "@system-service"
           "~@privileged"
+        ] ++ optionals (any useComponent componentsUsingPing) [
+          "capset"
         ];
         UMask = "0077";
       };
diff --git a/nixos/tests/home-assistant.nix b/nixos/tests/home-assistant.nix
index 1ab5755863f..5b1c07c92da 100644
--- a/nixos/tests/home-assistant.nix
+++ b/nixos/tests/home-assistant.nix
@@ -49,6 +49,12 @@ in {
           payload_on = "let_there_be_light";
           payload_off = "off";
         }];
+        wake_on_lan = {};
+        switch = [{
+          platform = "wake_on_lan";
+          mac = "00:11:22:33:44:55";
+          host = "127.0.0.1";
+        }];
         # tests component-based capability assignment (CAP_NET_BIND_SERVICE)
         emulated_hue = {
           host_ip = "127.0.0.1";
@@ -99,6 +105,10 @@ in {
         print("\n### home-assistant.log ###\n")
         print(output_log + "\n")
 
+    # wait for home-assistant to fully boot
+    hass.sleep(30)
+    hass.wait_for_unit("home-assistant.service")
+
     with subtest("Check that no errors were logged"):
         assert "ERROR" not in output_log