From f26b64c660dd8dadfbc1d626b91cf3e3af4a918b Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Thu, 23 Nov 2023 01:44:27 +0000
Subject: [PATCH] nixremote: fix up perms

---
 hosts/common/users/nixremote.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/hosts/common/users/nixremote.nix b/hosts/common/users/nixremote.nix
index 7ad815ae..4a925f20 100644
--- a/hosts/common/users/nixremote.nix
+++ b/hosts/common/users/nixremote.nix
@@ -8,6 +8,10 @@
   users.users.nixremote = {
     isNormalUser = true;
     home = "/home/nixremote";
+    # remove write permissions everywhere in the home dir.
+    # combined with an ownership of root:nixremote, that means not even nixremote can write anything below this directory
+    # (in which case, i'm not actually sure why nixremote needs a home)
+    homeMode = "550";
     group = "nixremote";
     subUidRanges = [
       { startUid=300000; count=1; }
@@ -24,7 +28,7 @@
     fs."/".dir.acl = {
       # don't allow the user to write anywhere
       user = "root";
-      group = "root";
+      group = "nixremote";
     };
   };
 }