From 5267b53258f9fdf094b53ee66ff02c4be1161530 Mon Sep 17 00:00:00 2001
From: Ethel Morgan <eth@ethulhu.co.uk>
Date: Sun, 24 May 2020 11:29:54 +0100
Subject: be more restrictive with systemd units

---
 modules/services/snapclient.nix | 1 +
 1 file changed, 1 insertion(+)

(limited to 'modules/services/snapclient.nix')

diff --git a/modules/services/snapclient.nix b/modules/services/snapclient.nix
index 4fdf266..9f93131 100644
--- a/modules/services/snapclient.nix
+++ b/modules/services/snapclient.nix
@@ -32,6 +32,7 @@ in {
         Group = "audio";
         ExecStart = "${pkgs.snapcast}/bin/snapclient --hostID ${escapeShellArg cfg.hostID}";
         NoNewPrivileges = true;
+        ProtectHome = true;
         ProtectKernelTunables = true;
         ProtectControlGroups = true;
         ProtectKernelModules = true;
-- 
cgit v1.2.3