module.nix: apply chroot

2025-11-30 03:32:41 +09:00
parent 1fe08b59a3
commit de57860395
2 changed files with 11 additions and 1 deletions
--- a/assets/systemd/muscl.service
+++ b/assets/systemd/muscl.service
@@ -16,7 +16,6 @@ Group=muscl
 DynamicUser=yes

 ConfigurationDirectory=muscl
-# RuntimeDirectory=muscl

 # This is required to read unix user/group details.
 PrivateUsers=false
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -113,6 +113,17 @@ in
           "${lib.getExe' pkgs.coreutils "kill"} -HUP $MAINPID"
        ];

+        RuntimeDirectory = "muscl/root-mnt";
+        RuntimeDirectoryMode = "0700";
+        RootDirectory = "/run/muscl/root-mnt";
+        BindReadOnlyPaths = [
+          builtins.storeDir
+          "/etc"
+        ]
+        ++ lib.optionals (cfg.settings.mysql.socket_path != null) [
+          cfg.settings.mysql.socket_path
+        ];
+
        IPAddressDeny = "any";
        IPAddressAllow = [
          "127.0.0.0/8"