be more restrictive with systemd units

author: Ethel Morgan <eth@ethulhu.co.uk> 2020-05-24 11:29:54 +0100
committer: Ethel Morgan <eth@ethulhu.co.uk> 2020-05-24 11:29:54 +0100
commit: 5267b53258f9fdf094b53ee66ff02c4be1161530 (patch)
tree: c9ce64edd3aaac58e780f76c17b3ba42762881f0 /modules/services/snapclient.nix
parent: a9dab79eac7694fe1f27abde1f23169200d7953c (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/modules/services/snapclient.nix b/modules/services/snapclient.nix
index 4fdf266..9f93131 100644
--- a/modules/services/snapclient.nix
+++ b/modules/services/snapclient.nix
@@ -32,6 +32,7 @@ in {
         Group = "audio";
         ExecStart = "${pkgs.snapcast}/bin/snapclient --hostID ${escapeShellArg cfg.hostID}";
         NoNewPrivileges = true;
+        ProtectHome = true;
         ProtectKernelTunables = true;
         ProtectControlGroups = true;
         ProtectKernelModules = true;
author	Ethel Morgan <eth@ethulhu.co.uk>	2020-05-24 11:29:54 +0100
committer	Ethel Morgan <eth@ethulhu.co.uk>	2020-05-24 11:29:54 +0100
commit	5267b53258f9fdf094b53ee66ff02c4be1161530 (patch)
tree	c9ce64edd3aaac58e780f76c17b3ba42762881f0 /modules/services/snapclient.nix
parent	a9dab79eac7694fe1f27abde1f23169200d7953c (diff)