From f2831a98b7fc3401c85033b834228725dbcb1511 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Mon, 24 Oct 2022 14:57:25 +0200
Subject: [PATCH] nixos/acme: Relax syscall filter after go upgrade

With Go 1.19 calls to setrlimit are required for lego to run.

While we could allow setrlimit alone, I think it is not unreasonable to
allow @resources in general.

Closes: #197513
---
 nixos/modules/security/acme/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/security/acme/default.nix b/nixos/modules/security/acme/default.nix
index e9299fb1b3ad..1c4a88954b65 100644
--- a/nixos/modules/security/acme/default.nix
+++ b/nixos/modules/security/acme/default.nix
@@ -62,9 +62,9 @@ let
     SystemCallArchitectures = "native";
     SystemCallFilter = [
       # 1. allow a reasonable set of syscalls
-      "@system-service"
+      "@system-service @resources"
       # 2. and deny unreasonable ones
-      "~@privileged @resources"
+      "~@privileged"
       # 3. then allow the required subset within denied groups
       "@chown"
     ];