From 1a32a3d826a48485659d6632ad0a7eb9563d321f Mon Sep 17 00:00:00 2001
From: Alex Mickelson <alexmickelson96@gmail.com>
Date: Sat, 7 Feb 2026 13:36:01 -0700
Subject: [PATCH] environment

---
 nix/home-server.nix | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/nix/home-server.nix b/nix/home-server.nix
index 36682be..dd28569 100644
--- a/nix/home-server.nix
+++ b/nix/home-server.nix
@@ -329,21 +329,27 @@
       "/data/runner"
       "/home/github/infrastructure"
     ];
-
     PrivateDevices = false;
     DeviceAllow = [ "/dev/zfs rw" ];
-
     ProtectProc = "default";
     ProtectSystem = false;
     PrivateMounts = false;
     PrivateUsers = false;
     ProtectHome = false;
-
-    Restart = lib.mkForce "always";
-
-    Environment = [
-      "PATH=/run/current-system/sw/bin:/nix/var/nix/profiles/default/bin"
+    NoNewPrivileges = false;  # Add this
+    
+    # Ensure access to Nix store and system paths
+    BindReadOnlyPaths = [
+      "/nix/store"
+      "/run/current-system"
     ];
+    
+    # Set proper PATH
+    Environment = [
+      "PATH=/run/current-system/sw/bin:/nix/var/nix/profiles/default/bin:/usr/bin:/bin"
+    ];
+    
+    Restart = lib.mkForce "always";
   };
   users.users.gitea-runner = {
     isNormalUser = true;