From 679ea47bf7ea3639d034e7e779017932baaa9f09 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Thu, 8 Jun 2023 10:00:16 -0500
Subject: [PATCH] r/homeassistant: Protect ~/.ssh

When the Home Assistant container restarts, Podman relabels the entire
`/var/lib/homeassistant` directory as `container_file_t`.  Since the
*homeassistant* user's home directory is `/var/lib/homeassistant`, its
`~/.ssh` directory is thus also relabeled, preventing the SSH daemon
from accessing it.  Since Home Assistant itself does not need access to
this path, we can tell systemd to mount an empty tmpfs filesystem there
in the service unit's mount namespace.  This way, when Podman relabels
the directory, it will change the label of the tmpfs mount point instead
of the actual directory.
---
 roles/homeassistant/templates/homeassistant.service.j2 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/homeassistant/templates/homeassistant.service.j2 b/roles/homeassistant/templates/homeassistant.service.j2
index 15a7d68..4d3d88f 100644
--- a/roles/homeassistant/templates/homeassistant.service.j2
+++ b/roles/homeassistant/templates/homeassistant.service.j2
@@ -21,6 +21,7 @@ ExecStart=/usr/bin/podman run \
     --gidmap 1:4000000:65536 \
     ghcr.io/home-assistant/{{ homeassistant_image_name }}:stable
 ProtectSystem=full
+TemporaryFileSystem=/var/lib/homeassistant/.ssh
 UMask=0077
 TimeoutStartSec=5min