From 00e9d704ce9bce563d7bbd2bf357d631a418ec19 Mon Sep 17 00:00:00 2001
From: Alyssa Ross <hi@alyssa.is>
Date: Mon, 5 Jun 2023 17:27:41 +0000
Subject: modules/public-inbox: make coderepos accessible

---
 modules/server/spectrum/public-inbox/default.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'modules/server/spectrum/public-inbox')

diff --git a/modules/server/spectrum/public-inbox/default.nix b/modules/server/spectrum/public-inbox/default.nix
index 183f0fbdd414..2c5aed09631b 100644
--- a/modules/server/spectrum/public-inbox/default.nix
+++ b/modules/server/spectrum/public-inbox/default.nix
@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ config, lib, ... }:
 
 let
   repos = [ "crosvm" "doc" "mktuntap" "nixpkgs" "spectrum" "ucspi-vsock" "www" ];
@@ -15,6 +15,10 @@ in
   services.public-inbox.settings.publicinbox.nntpserver =
     [ "nntps://spectrum-os.org" "nntp://spectrum-os.org" ];
 
+  systemd.services.public-inbox-httpd.serviceConfig.ProtectHome = "tmpfs";
+  systemd.services.public-inbox-httpd.serviceConfig.BindReadOnlyPaths =
+    map (c: c.dir) (lib.attrValues config.services.public-inbox.settings.coderepo);
+
   services.public-inbox.settings.coderepo = lib.genAttrs repos (name: {
     dir = "/home/spectrum/git/${name}.git";
     cgitUrl = "https://spectrum-os.org/git/${name}";
-- 
cgit 1.4.1