From e5143301e214ec9099f882fda8363d9080e86243 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Tue, 26 Aug 2025 16:31:18 +0200
Subject: [PATCH] nixos/gotenberg: fix starting chromium

[Tue Aug 26 16:12:02 2025] audit: type=1326 audit(1756217587.085:126): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=3124193 comm="chromium" exe="/nix/store/xrjg398ps4mkbpsz66kpjgqfzfjpm2cr-chromium-unwrapped-139.0.7258.127/libexec/chromium/chromium" sig=31 arch=c000003e syscall=330 compat=0 ip=0x7f001d2c4afb code=0x80000000
---
 nixos/modules/services/misc/gotenberg.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/nixos/modules/services/misc/gotenberg.nix b/nixos/modules/services/misc/gotenberg.nix
index e306e530116a..ed4549b03436 100644
--- a/nixos/modules/services/misc/gotenberg.nix
+++ b/nixos/modules/services/misc/gotenberg.nix
@@ -303,6 +303,7 @@ in
       };
       serviceConfig = {
         Type = "simple";
+        # NOTE: disable to debug chromium crashes or otherwise no coredump is created and forbidden syscalls are not being logged
         DynamicUser = true;
         ExecStart = "${lib.getExe cfg.package} ${lib.escapeShellArgs args}";
 
@@ -340,6 +341,7 @@ in
           "@sandbox"
           "@system-service"
           "@chown"
+          "@pkey" # required by chromium or it crashes
         ];
         SystemCallArchitectures = "native";