Harden forge NBC worker runtime and MVPD selection

2026-04-03 03:11:11 -07:00 · 2026-04-03 03:11:11 -07:00 · 8065860449
commit 8065860449
parent 3402f7dab2
4 changed files with 102 additions and 3 deletions
--- a/nix/modules/ec-node.nix
+++ b/nix/modules/ec-node.nix
@ -646,6 +646,7 @@ in
                SystemCallArchitectures = "native";
                ReadWritePaths =
                  lib.optionals cfg.control.enable [ "/run/every-channel" ]
+                  ++ lib.optionals isNbc [ "/tmp" ]
                  ++ lib.optionals isNbc [ cfg.nbc.profileDir cfg.nbc.authScreenshotDir ];
              };

@ -656,6 +657,7 @@ in
                  EVERY_CHANNEL_NBC_CHROME_PATH = cfg.nbc.chromeBinary;
                  EVERY_CHANNEL_NBC_PROFILE_DIR = cfg.nbc.profileDir;
                  EVERY_CHANNEL_NBC_NO_SANDBOX = if cfg.nbc.noSandbox then "1" else "0";
+                  HOME = "/var/lib/every-channel";
                };
            };
          })