lorri.service: remove ProtectHome, relax ProtectSystem

per lorri's readme:

  lorri creates an indirect garbage collection root for each .drv in
  $XDG_CACHE_HOME/lorri (~/.cache/lorri/ by default) each time it
  evaluates your project.

... so it doesn't make sense to have ProtectHome enabled for
lorri.service.  lorri also needs to be able to modify
/nix/var/nix/gcroots/per-user/, so ProtectSystem can't be 'strict';
'full' is the next strongest.

fixes:

lorri: ERRO IO error binding to socket: Read-only file system (os error 30)

bisecting this error leads to a range of unbuildable commits including
'a31429165204 Merge pull request #243242 from
RaitoBezarius/systemd-254', so it's likely that systemd update changed
the behaviour of ProtectHome somehow (though the release notes don't
have any obvious culprits).

1 files changed, 1 insertions, 2 deletions

diff --git a/nixos/modules/services/development/lorri.nix b/nixos/modules/services/development/lorri.nix
index 74f56f5890fc..df3d814d7444 100644
--- a/nixos/modules/services/development/lorri.nix
+++ b/nixos/modules/services/development/lorri.nix
@@ -44,8 +44,7 @@ in {
       serviceConfig = {
         ExecStart = "${cfg.package}/bin/lorri daemon";
         PrivateTmp = true;
-        ProtectSystem = "strict";
-        ProtectHome = "read-only";
+        ProtectSystem = "full";
         Restart = "on-failure";
       };
     };