lorri: unbreak due to too tight sandboxing

lorri needs to be able to write to /run/user/uid for the socket, to its own cache directory ~/.cache/lorri and to the directory for gc roots.
2024-01-01 09:56:03 +01:00 · 2024-01-01 09:56:03 +01:00 · f06edaf18b
parent b7ef79bcf4
commit f06edaf18b
1 changed files with 6 additions and 0 deletions
--- a/modules/services/lorri.nix
+++ b/modules/services/lorri.nix
@ -52,6 +52,12 @@ in {
          PrivateTmp = true;
          ProtectSystem = "strict";
          ProtectHome = "read-only";
+          ReadWritePaths = [
+            # /run/user/1000 for the socket
+            "%t"
+            "/nix/var/nix/gcroots/per-user/%u"
+          ];
+          CacheDirectory = [ "lorri" ];
          Restart = "on-failure";
          Environment = let
            path = with pkgs;