server: disable landlock in systemd daemon

This ensures that reloads work correctly

assets/systemd/muscl.service

@@ -4,7 +4,7 @@ Requires=muscl.socket
 
 [Service]
 Type=notify
-ExecStart=/usr/bin/muscl server --systemd socket-activate
+ExecStart=/usr/bin/muscl server --systemd --disable-landlock socket-activate
 ExecReload=/usr/bin/kill -HUP $MAINPID
 
 WatchdogSec=15

nix/module.nix

@@ -116,7 +116,7 @@ in
       serviceConfig = {
         ExecStart = [
           ""
-          "${lib.getExe cfg.package} ${cfg.logLevel} server --systemd socket-activate"
+          "${lib.getExe cfg.package} ${cfg.logLevel} server --systemd --disable-landlock socket-activate"
         ];
 
         ExecReload = [

src/main.rs

@@ -147,8 +147,10 @@ fn handle_server_command(args: &Args) -> anyhow::Result<Option<()>> {
                 "The executable should not be SUID or SGID when running the server manually"
             );
 
+            if !command.disable_landlock {
                 landlock_restrict_server(args.config.as_deref())
                     .context("Failed to apply Landlock restrictions to the server process")?;
+            }
 
             tokio_start_server(
                 args.config.to_owned(),

src/server/command.rs

@@ -10,10 +10,13 @@ use crate::{core::common::DEFAULT_CONFIG_PATH, server::supervisor::Supervisor};
 #[derive(Parser, Debug, Clone)]
 pub struct ServerArgs {
     #[command(subcommand)]
-    subcmd: ServerCommand,
+    pub subcmd: ServerCommand,
 
     #[arg(long)]
-    systemd: bool,
+    pub systemd: bool,
+
+    #[arg(long)]
+    pub disable_landlock: bool,
 }
 
 #[derive(Parser, Debug, Clone)]