From c01328d8263d0c48d6e0df2f2930e1c51033fe68 Mon Sep 17 00:00:00 2001
From: Hunter Halloran <hdhdog@live.com>
Date: Wed, 17 Dec 2025 11:15:06 -0500
Subject: [PATCH] gh runner cleanup

---
 sw/builders/services.nix | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/sw/builders/services.nix b/sw/builders/services.nix
index 153c4cf..e6676b2 100644
--- a/sw/builders/services.nix
+++ b/sw/builders/services.nix
@@ -35,11 +35,21 @@ mkIf builderCfg.githubRunner.enable {
       # Restart on failure, but not immediately
       RestartSec = 10;
       
-      # Disable namespace isolation features that don't work in LXC containers
+      # Disable all namespace isolation features that don't work in LXC containers
       PrivateMounts = mkForce false;
       MountAPIVFS = mkForce false;
       BindPaths = mkForce [ ];
       BindReadOnlyPaths = mkForce [ ];
+      PrivateTmp = mkForce false;
+      PrivateDevices = mkForce false;
+      ProtectSystem = mkForce false;
+      ProtectHome = mkForce false;
+      ReadOnlyPaths = mkForce [ ];
+      InaccessiblePaths = mkForce [ ];
+      PrivateUsers = mkForce false;
+      ProtectKernelTunables = mkForce false;
+      ProtectKernelModules = mkForce false;
+      ProtectControlGroups = mkForce false;
       
       # Override the unconfigure script to be failure-tolerant
       # The '-' prefix means the command failure won't cause the service to fail