From f4e35a731286d9ce733e3b18ba7d284ada58f76e Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Wed, 26 Jan 2022 12:48:24 +0100
Subject: [PATCH] krebs.setuid: add support for capabilities

---
 krebs/3modules/setuid.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix
index 64fedb911..6ad2f1264 100644
--- a/krebs/3modules/setuid.nix
+++ b/krebs/3modules/setuid.nix
@@ -30,6 +30,10 @@ with import <stockholm/lib>;
           };
           apply = toString;
         };
+        capabilities = mkOption {
+          default = [];
+          type = types.listOf types.str;
+        };
         owner = mkOption {
           default = "root";
           type = types.enum (attrNames users);
@@ -67,6 +71,9 @@ with import <stockholm/lib>;
         cp ${src} ${dst}
         chown ${cfg.owner}.${cfg.group} ${dst}
         chmod ${cfg.mode} ${dst}
+        ${optionalString (cfg.capabilities != []) /* sh */ ''
+          ${pkgs.libcap.out}/bin/setcap ${concatMapStringsSep "," shell.escape cfg.capabilities} ${dst}
+        ''}
       '';
     }));
   };