From d4061dcc6e429510c3ac4e1fc3da34325eed8096 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Tue, 25 Jan 2022 18:29:16 +0100
Subject: [PATCH 1/2] nixos/home-assistant: allow capset with components using
 ping command

---
 nixos/modules/services/misc/home-assistant.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/nixos/modules/services/misc/home-assistant.nix b/nixos/modules/services/misc/home-assistant.nix
index 2de25d87ed3..ac4c0222aac 100644
--- a/nixos/modules/services/misc/home-assistant.nix
+++ b/nixos/modules/services/misc/home-assistant.nix
@@ -278,6 +278,11 @@ in {
           "bluetooth_tracker"
           "bluetooth_le_tracker"
         ];
+        componentsUsingPing = [
+          # Components that require the capset syscall for the ping wrapper
+          "ping"
+          "wake_on_lan"
+        ];
         componentsUsingSerialDevices = [
           # Components that require access to serial devices (/dev/tty*)
           # List generated from home-assistant documentation:
@@ -382,6 +387,8 @@ in {
         SystemCallFilter = [
           "@system-service"
           "~@privileged"
+        ] ++ optionals (any useComponent componentsUsingPing) [
+          "capset"
         ];
         UMask = "0077";
       };

From d9ad2b40f14cf5c8e668e7efb51de5c4a987a371 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Tue, 25 Jan 2022 18:30:43 +0100
Subject: [PATCH 2/2] nixos/tests/home-assistant: test ping via wake_on_lan
 component

Let the home-assistant instance linger around for 30s so it can run
regular jobs and trigger more code paths that could result in errors.
---
 nixos/tests/home-assistant.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/nixos/tests/home-assistant.nix b/nixos/tests/home-assistant.nix
index 1ab5755863f..5b1c07c92da 100644
--- a/nixos/tests/home-assistant.nix
+++ b/nixos/tests/home-assistant.nix
@@ -49,6 +49,12 @@ in {
           payload_on = "let_there_be_light";
           payload_off = "off";
         }];
+        wake_on_lan = {};
+        switch = [{
+          platform = "wake_on_lan";
+          mac = "00:11:22:33:44:55";
+          host = "127.0.0.1";
+        }];
         # tests component-based capability assignment (CAP_NET_BIND_SERVICE)
         emulated_hue = {
           host_ip = "127.0.0.1";
@@ -99,6 +105,10 @@ in {
         print("\n### home-assistant.log ###\n")
         print(output_log + "\n")
 
+    # wait for home-assistant to fully boot
+    hass.sleep(30)
+    hass.wait_for_unit("home-assistant.service")
+
     with subtest("Check that no errors were logged"):
         assert "ERROR" not in output_log