From 3d45dcadbdee91d247747f290bf339ae16a1f0b6 Mon Sep 17 00:00:00 2001
From: Patrick Mulligan <patjmulligan@protonmail.com>
Date: Fri, 9 Jan 2026 23:29:25 +0100
Subject: [PATCH] security(lamassu): re-enable sandboxing for build service
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The build service only needs write access to the data directory.
Re-enable ProtectSystem, ProtectHome, NoNewPrivileges with
ReadWritePaths to allow writes to /var/lib/lamassu-server.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 modules/lamassu-lnbits.nix | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/modules/lamassu-lnbits.nix b/modules/lamassu-lnbits.nix
index 0015d99..996841e 100644
--- a/modules/lamassu-lnbits.nix
+++ b/modules/lamassu-lnbits.nix
@@ -281,11 +281,11 @@ in
         TimeoutStartSec = "30min";
         KillMode = "process";
         KillSignal = "SIGTERM";
-        # Disable sandboxing for build
-        PrivateTmp = false;
-        ProtectSystem = false;
-        ProtectHome = false;
-        NoNewPrivileges = false;
+        # Sandboxing with write access to data directory
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        NoNewPrivileges = true;
+        ReadWritePaths = [ cfg.dataDir ];
       };
 
       script = ''