From a90293626d17fff98668c2d4507c1460d7117b69 Mon Sep 17 00:00:00 2001
From: Gabe Venberg <gabevenberg@gmail.com>
Date: Thu, 24 Apr 2025 16:33:03 +0200
Subject: [PATCH] Moved back to TemporaryFileSystem for system hardening.

I misunderstood bind mounts...
---
 contrib/nixos/modules/copyparty.nix | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/contrib/nixos/modules/copyparty.nix b/contrib/nixos/modules/copyparty.nix
index c5c9be27..f3f2b113 100644
--- a/contrib/nixos/modules/copyparty.nix
+++ b/contrib/nixos/modules/copyparty.nix
@@ -301,8 +301,12 @@ in {
           )
           ++ [externalStateDir]
           ++ (mapAttrsToList (k: v: v.path) cfg.volumes);
-        ProtectSystem = "strict";
-        ProtectHome = "tmpfs";
+        # ProtectSystem = "strict";
+        # Note that unlike what 'ro' implies,
+        # this actually makes it impossible to read anything in the root FS,
+        # except for things explicitly mounted via `RuntimeDirectory`, `StateDirectory`, `CacheDirectory`, and `BindReadOnlyPaths`.
+        # This is because TemporaryFileSystem creates a *new* *empty* filesystem for the process, so only bindmounts are visible.
+        TemporaryFileSystem = "/:ro";
         PrivateTmp = true;
         PrivateDevices = true;
         ProtectKernelTunables = true;