modules/public-inbox: make coderepos accessible

1 files changed, 5 insertions, 1 deletions

diff --git a/modules/server/spectrum/public-inbox/default.nix b/modules/server/spectrum/public-inbox/default.nix
index 183f0fbdd414..2c5aed09631b 100644
--- a/modules/server/spectrum/public-inbox/default.nix
+++ b/modules/server/spectrum/public-inbox/default.nix
@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ config, lib, ... }:
 
 let
   repos = [ "crosvm" "doc" "mktuntap" "nixpkgs" "spectrum" "ucspi-vsock" "www" ];
@@ -15,6 +15,10 @@ in
   services.public-inbox.settings.publicinbox.nntpserver =
     [ "nntps://spectrum-os.org" "nntp://spectrum-os.org" ];
 
+  systemd.services.public-inbox-httpd.serviceConfig.ProtectHome = "tmpfs";
+  systemd.services.public-inbox-httpd.serviceConfig.BindReadOnlyPaths =
+    map (c: c.dir) (lib.attrValues config.services.public-inbox.settings.coderepo);
+
   services.public-inbox.settings.coderepo = lib.genAttrs repos (name: {
     dir = "/home/spectrum/git/${name}.git";
     cgitUrl = "https://spectrum-os.org/git/${name}";