Disable ProtectHome for mcp-agent (blocks /run/user for podman)

2026-03-26 14:40:54 -07:00
parent 7f0a978e86
commit e7d244c606
1 changed files with 3 additions and 1 deletions
--- a/configs/mcp.nix
+++ b/configs/mcp.nix
@@ -43,7 +43,9 @@ in

      NoNewPrivileges = true;
      ProtectSystem = "full"; # "strict" blocks /run/user; "full" protects /usr and /boot
-      ProtectHome = true;
+      # ProtectHome makes /run/user inaccessible, which breaks rootless podman.
+      # The agent's home is /srv/mcp (not /home), so this is acceptable.
+      ProtectHome = false;
      PrivateTmp = true;
      PrivateDevices = true;
      ProtectKernelTunables = true;