From a0d5034e85e2ca94188c3d4495576d7bb2738d43 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Wed, 29 Apr 2026 05:05:21 +0900
Subject: [PATCH] module.nix: grant `CAP_DAC_READ_SEARCH` to daemon

---
 nix/module.nix | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/nix/module.nix b/nix/module.nix
index 45ff95c..79975de 100644
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -73,8 +73,10 @@ in {
         # PrivateUsers = true;
         # ProtectHome = true;
 
-        AmbientCapabilities = "";
-        CapabilityBoundingSet = "";
+        # NOTE: We need this capability to be able to read inside the home directories of users without
+        #       them needing to open their homedirs to the rest of the system.
+        AmbientCapabilities = [ "CAP_DAC_READ_SEARCH" ];
+        CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" ];
         DeviceAllow = "";
         DevicePolicy = "closed";
         LockPersonality = true;