From c1565efb2d512fdd01a758414101a8f82e93bf50 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Wed, 22 Jan 2025 10:50:49 +0000
Subject: [PATCH] sane-reclaim-disk-space: fix capability sandboxing

---
 hosts/common/programs/sane-scripts.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/hosts/common/programs/sane-scripts.nix b/hosts/common/programs/sane-scripts.nix
index 144c6b521..1d9f0062b 100644
--- a/hosts/common/programs/sane-scripts.nix
+++ b/hosts/common/programs/sane-scripts.nix
@@ -140,7 +140,10 @@ in
     "sane-scripts.reclaim-disk-space".sandbox = {
       method = "bunpen";
       extraPaths = [ "/nix/var/nix" ];
-      capabilities = [ "sys_admin" ];  # for it to remount /nix/store
+      capabilities = [
+        "dac_override"  # some packages have files which aren't `w`
+        "sys_admin"  # for it to remount /nix/store
+      ];
       tryKeepUsers = true;
     };