From e7d244c6066b8f9194f1efb4abcdc341fac15b1b Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Thu, 26 Mar 2026 14:40:54 -0700
Subject: [PATCH] Disable ProtectHome for mcp-agent (blocks /run/user for
 podman)

---
 configs/mcp.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/configs/mcp.nix b/configs/mcp.nix
index 543dbaa..2b27c76 100644
--- a/configs/mcp.nix
+++ b/configs/mcp.nix
@@ -43,7 +43,9 @@ in
 
       NoNewPrivileges = true;
       ProtectSystem = "full"; # "strict" blocks /run/user; "full" protects /usr and /boot
-      ProtectHome = true;
+      # ProtectHome makes /run/user inaccessible, which breaks rootless podman.
+      # The agent's home is /srv/mcp (not /home), so this is acceptable.
+      ProtectHome = false;
       PrivateTmp = true;
       PrivateDevices = true;
       ProtectKernelTunables = true;