From 75270321d56e17aa9203b8468bca31a4d13a1336 Mon Sep 17 00:00:00 2001
From: Akshay Mankar <itsakshaymankar@gmail.com>
Date: Sat, 2 Dec 2023 17:22:28 +0100
Subject: [PATCH] fix: Allow matrix-appservice-irc to chown things

@chown is part of @privileged. It is used by sed which is used to manage the
registration.yaml
---
 hosts/nachtigall/apps/matrix/irc.nix | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/hosts/nachtigall/apps/matrix/irc.nix b/hosts/nachtigall/apps/matrix/irc.nix
index 8f65985..da20617 100644
--- a/hosts/nachtigall/apps/matrix/irc.nix
+++ b/hosts/nachtigall/apps/matrix/irc.nix
@@ -1,5 +1,10 @@
-{lib, ...}:
+{pkgs, lib, ...}:
 {
+  systemd.services.matrix-appservice-irc.serviceConfig.SystemCallFilter = lib.mkForce [
+    "@system-service @pkey"
+    "~@privileged @resources"
+    "@chown"
+  ];
   services.matrix-appservice-irc = {
     enable = true;
     localpart = "irc_bot";