From 4ca6a90975a93ca95f35b163adbe1a0a846a65c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= <motiejus@jakstys.lt>
Date: Sun, 29 Sep 2024 22:40:53 +0300
Subject: [PATCH] immich: works with mounts

---
 modules/services/immich/default.nix | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/modules/services/immich/default.nix b/modules/services/immich/default.nix
index 09c8cf5..a674435 100644
--- a/modules/services/immich/default.nix
+++ b/modules/services/immich/default.nix
@@ -61,15 +61,8 @@ in
         ) cfg.bindPaths;
         PrivateDevices = lib.mkForce false; # /dev/fuse
         CapabilityBoundingSet = lib.mkForce "CAP_SYS_ADMIN | CAP_SETUID | CAP_SETGID";
-
-        # testing
         ExecStart = lib.mkForce ("!" + (lib.getExe startScript));
-        NoNewPrivileges = lib.mkForce false;
-        PrivateUsers = lib.mkForce false;
-        PrivateTmp = lib.mkForce false;
-        PrivateMounts = lib.mkForce false;
-        ProtectClock = lib.mkForce false;
-        ProtectControlGroups = lib.mkForce false;
+        PrivateUsers = lib.mkForce false; # bindfs fails otherwise
       };
     };