From 5db599f41a14550ea2595e2caed966d75bcd8ae6 Mon Sep 17 00:00:00 2001
From: Ivan Popovych <ivan@ipvych.com>
Date: Sat, 14 Jun 2025 17:42:15 +0300
Subject: [PATCH] etc: guix-daemon.service.in: Disable host filesystem mount
 propagation.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This fixes issue for rootless guix daemon where store being remounted
read-only by gnu-store.mount is propagated to the guix daemon making
guix daemon not able to modify it.

* etc/guix-daemon.service.in: Disable host filesystem mount propagation.

Change-Id: Ib1abc387ee15d2b04d6f70c121244943cd0ad8c6
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Modified-by: Ludovic Courtès <ludo@gnu.org>
---
 etc/guix-daemon.service.in | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/etc/guix-daemon.service.in b/etc/guix-daemon.service.in
index 6a5ef97f9b..6e534771c6 100644
--- a/etc/guix-daemon.service.in
+++ b/etc/guix-daemon.service.in
@@ -21,6 +21,9 @@ User=guix-daemon
 # effect of 'gnu-store.mount'.
 PrivateMounts=true
 BindPaths=@storedir@
+# Disable host file system mount propagation to keep service view of the
+# store read-write after 'gnu-store.mount' makes it read-only system-wide.
+MountFlags=private
 
 # Provide the CAP_CHOWN capability so that guix-daemon can create and chown
 # /var/guix/profiles/per-user/$USER and also chown failed build directories