diff options
| author | Soispha <soispha@vhack.eu> | 2023-08-02 14:16:57 +0200 |
|---|---|---|
| committer | sils <sils@noreply.codeberg.org> | 2023-08-04 13:00:46 +0000 |
| commit | 340154c843b17aaa492bdd1a193762b6d63372f0 (patch) | |
| tree | 28807b090829019fc44b32c6735cc24356945ea0 | |
| parent | Fix(system/services/nix-sync): Remove the last access to the file system (diff) | |
| download | nixos-server-340154c843b17aaa492bdd1a193762b6d63372f0.tar.gz nixos-server-340154c843b17aaa492bdd1a193762b6d63372f0.zip | |
Revert: "Fix(system/services/nix-sync): Remove the last access to the file system" nix-sync
This reverts commit 89695f07d3a82fa7651b3c599b2b9327ecb6d097 because it did not do anything, besides cause `nix` to spit some warnings.
| -rw-r--r-- | system/services/nix-sync/default.nix | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/system/services/nix-sync/default.nix b/system/services/nix-sync/default.nix index 11cb551..8c466b8 100644 --- a/system/services/nix-sync/default.nix +++ b/system/services/nix-sync/default.nix @@ -104,7 +104,7 @@ LogsDirectory = "nix-sync"; LogsDirectoryMode = "0750"; # Proc filesystem - ProcSubset = "pid"; + ProcSubset = "all"; ProtectProc = "invisible"; # New file permissions UMask = "0027"; # 0640 / 0750 @@ -115,7 +115,7 @@ NoNewPrivileges = true; # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html) ReadWritePaths = ["${esa (parents repo.path)}" "-${esa repoCachePath}" "-${esa cfg.cachePath}"]; - # ReadOnlyPaths = ["/nix"]; + ReadOnlyPaths = ["/nix"]; ProtectSystem = "strict"; ProtectHome = true; PrivateTmp = true; |