From fa06bbe9cebf60e86b5a4bdefba7633c4b98dafb Mon Sep 17 00:00:00 2001
From: SebastianStork <git@sstork.dev>
Date: Wed, 18 Mar 2026 15:53:17 +0100
Subject: [PATCH] scrutiny: Fix persistence

---
 modules/nixos/web-services/scrutiny.nix | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/modules/nixos/web-services/scrutiny.nix b/modules/nixos/web-services/scrutiny.nix
index 0789008..ebe0159 100644
--- a/modules/nixos/web-services/scrutiny.nix
+++ b/modules/nixos/web-services/scrutiny.nix
@@ -34,7 +34,16 @@ in
       };
     };
 
-    systemd.services.scrutiny.enableStrictShellChecks = false;
+    systemd.services.scrutiny = {
+      enableStrictShellChecks = false;
+      serviceConfig = {
+        DynamicUser = lib.mkForce false;
+        ProtectSystem = "strict";
+        ProtectHome = "read-only";
+        PrivateTmp = true;
+        RemoveIPC = true;
+      };
+    };
 
     custom = {
       services.caddy.virtualHosts.${cfg.domain}.port = cfg.port;