summary refs log tree commit diff stats
path: root/system/services/nix-sync/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'system/services/nix-sync/default.nix')
-rw-r--r--system/services/nix-sync/default.nix4
1 files changed, 2 insertions, 2 deletions
diff --git a/system/services/nix-sync/default.nix b/system/services/nix-sync/default.nix
index 11cb551..8c466b8 100644
--- a/system/services/nix-sync/default.nix
+++ b/system/services/nix-sync/default.nix
@@ -104,7 +104,7 @@
       LogsDirectory = "nix-sync";
       LogsDirectoryMode = "0750";
       # Proc filesystem
-      ProcSubset = "pid";
+      ProcSubset = "all";
       ProtectProc = "invisible";
       # New file permissions
       UMask = "0027"; # 0640 / 0750
@@ -115,7 +115,7 @@
       NoNewPrivileges = true;
       # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html)
       ReadWritePaths = ["${esa (parents repo.path)}" "-${esa repoCachePath}" "-${esa cfg.cachePath}"];
-      # ReadOnlyPaths = ["/nix"];
+      ReadOnlyPaths = ["/nix"];
       ProtectSystem = "strict";
       ProtectHome = true;
       PrivateTmp = true;
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-11-28 22:53:09 +0000