diff options
Diffstat (limited to 'nixos/modules/services/mail/public-inbox.nix')
| -rw-r--r-- | nixos/modules/services/mail/public-inbox.nix | 15 |
1 files changed, 4 insertions, 11 deletions
diff --git a/nixos/modules/services/mail/public-inbox.nix b/nixos/modules/services/mail/public-inbox.nix index a7d7097065a2..4944d46fbd73 100644 --- a/nixos/modules/services/mail/public-inbox.nix +++ b/nixos/modules/services/mail/public-inbox.nix @@ -89,7 +89,7 @@ let PrivateNetwork = mkDefault (!needNetwork); ProcSubset = "pid"; ProtectClock = true; - ProtectHome = mkDefault true; + ProtectHome = "tmpfs"; ProtectHostname = true; ProtectKernelLogs = true; ProtectProc = "invisible"; @@ -460,6 +460,8 @@ in after = [ "public-inbox-init.service" "public-inbox-watch.service" ]; requires = [ "public-inbox-init.service" ]; serviceConfig = { + BindPathsReadOnly = + map (c: c.dir) (lib.attrValues cfg.settings.coderepo); ExecStart = escapeShellArgs ( [ "${cfg.package}/bin/public-inbox-httpd" ] ++ cfg.http.args ++ @@ -563,16 +565,7 @@ in ${pkgs.git}/bin/git config core.sharedRepository 0640 fi '') cfg.inboxes - ) + '' - shopt -s nullglob - for inbox in ${stateDir}/inboxes/*/; do - # This should be idempotent, but only do it for new - # inboxes anyway because it's only needed once, and could - # be slow for large pre-existing inboxes. - ls -1 "$inbox" | grep -q '^xap' || - ${cfg.package}/bin/public-inbox-index "$inbox" - done - ''; + ); serviceConfig = { Type = "oneshot"; RemainAfterExit = true; |