From 7e398b3d76bc1503171b1364c9d4a07ac06f3851 Mon Sep 17 00:00:00 2001
From: Guillaume Girol <symphorien@users.noreply.github.com>
Date: Mon, 1 Jan 2024 09:56:03 +0100
Subject: [PATCH] lorri: unbreak due to too tight sandboxing

lorri needs to be able to write to /run/user/uid for the socket, to its
own cache directory ~/.cache/lorri and to the directory for gc roots.

(cherry picked from commit f06edaf18b119da7bb301eebbf87971bbb9fb162)
---
 modules/services/lorri.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/modules/services/lorri.nix b/modules/services/lorri.nix
index 85b75682..f782ff88 100644
--- a/modules/services/lorri.nix
+++ b/modules/services/lorri.nix
@@ -52,6 +52,12 @@ in {
           PrivateTmp = true;
           ProtectSystem = "strict";
           ProtectHome = "read-only";
+          ReadWritePaths = [
+            # /run/user/1000 for the socket
+            "%t"
+            "/nix/var/nix/gcroots/per-user/%u"
+          ];
+          CacheDirectory = [ "lorri" ];
           Restart = "on-failure";
           Environment = let
             path = with pkgs;