From 73aed13f875594eb36cccbb6c9a559e12a612be1 Mon Sep 17 00:00:00 2001
From: Christopher Bacher <mindsbackyard@gmail.com>
Date: Sat, 15 Oct 2022 21:09:27 +0200
Subject: [PATCH] modules(pihole-container): make newuidmap available to
 systemd service

See https://github.com/NixOS/nixpkgs/issues/138423
Potentially a security issue as `/run/wrappers/bin/` contains more commands often with suid bit set.
---
 modules/pihole-container.factory.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/modules/pihole-container.factory.nix b/modules/pihole-container.factory.nix
index 28c234f..1f07d33 100644
--- a/modules/pihole-container.factory.nix
+++ b/modules/pihole-container.factory.nix
@@ -279,8 +279,11 @@ in rec {
       wantedBy = [ "multi-user.target" ];
       after = [ "network-online.target" ];
 
+      # required to make `newuidmap` available to the systemd service (see https://github.com/NixOS/nixpkgs/issues/138423)
+      path = [ "/run/wrappers" ];
+
       serviceConfig = let
-        optPihole = options.services.pihole;
+        opt = options.services.pihole;
 
         containerEnvVars = let
           envVarFragments = collectAttrFragments (value: isAttrs value && value ? "envVar") opt.piholeConfiguration;