From 26e4620f8fc0f0f9bdd91a15346ef454b28f1eb7 Mon Sep 17 00:00:00 2001
From: Richie Cahill <Richie@tmmworkshop.com>
Date: Mon, 30 Mar 2026 12:59:54 -0400
Subject: [PATCH] fixed systemd sandboxing

---
 .vscode/settings.json                      |  1 +
 systems/jeeves/services/postgress.nix      |  4 ++++
 users/richie/home/gui/vscode/settings.json | 21 +++++++++++----------
 3 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/.vscode/settings.json b/.vscode/settings.json
index 7ea1d20..a50732f 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -308,6 +308,7 @@
     "usernamehw",
     "userprefs",
     "vaninventory",
+    "vdev",
     "vfat",
     "victron",
     "virt",
diff --git a/systems/jeeves/services/postgress.nix b/systems/jeeves/services/postgress.nix
index 65cec48..a9e516c 100644
--- a/systems/jeeves/services/postgress.nix
+++ b/systems/jeeves/services/postgress.nix
@@ -5,6 +5,10 @@ in
 {
   networking.firewall.allowedTCPPorts = [ 5432 ];
 
+  # Symlink pg_wal to a ZFS dataset on the special (metadata) vdev for fast WAL writes
+  # this is required for systemd sandboxing
+  systemd.services.postgresql.serviceConfig.ReadWritePaths = [ "/zfs/media/database/postgres-wal" ];
+
   services.postgresql = {
     enable = true;
     package = pkgs.postgresql_17_jit;
diff --git a/users/richie/home/gui/vscode/settings.json b/users/richie/home/gui/vscode/settings.json
index c44b664..c49309f 100644
--- a/users/richie/home/gui/vscode/settings.json
+++ b/users/richie/home/gui/vscode/settings.json
@@ -20,15 +20,15 @@
   // turns off all sounds and announcements
   "accessibility.signals.terminalCommandFailed": {
     "sound": "off",
-    "announcement": "off"
+    "announcement": "off",
   },
   "accessibility.signals.terminalQuickFix": {
     "sound": "off",
-    "announcement": "off"
+    "announcement": "off",
   },
   "accessibility.signals.terminalBell": {
     "sound": "off",
-    "announcement": "off"
+    "announcement": "off",
   },
 
   // database settings
@@ -41,8 +41,8 @@
       "driver": "PostgreSQL",
       "name": "main",
       "database": "postgres",
-      "username": "richie"
-    }
+      "username": "richie",
+    },
   ],
 
   // formatters
@@ -55,7 +55,7 @@
   "[yaml]": { "editor.defaultFormatter": "redhat.vscode-yaml" },
   "[javascriptreact]": { "editor.defaultFormatter": "esbenp.prettier-vscode" },
   "[github-actions-workflow]": {
-    "editor.defaultFormatter": "redhat.vscode-yaml"
+    "editor.defaultFormatter": "redhat.vscode-yaml",
   },
   "[dockercompose]": {
     "editor.insertSpaces": true,
@@ -64,9 +64,9 @@
     "editor.quickSuggestions": {
       "other": true,
       "comments": false,
-      "strings": true
+      "strings": true,
     },
-    "editor.defaultFormatter": "redhat.vscode-yaml"
+    "editor.defaultFormatter": "redhat.vscode-yaml",
   },
 
   // spell check
@@ -78,7 +78,8 @@
     "Corvidae",
     "drivername",
     "fastapi",
-    "syncthing"
+    "sandboxing",
+    "syncthing",
   ],
 
   // nix
@@ -96,5 +97,5 @@
   // new
   "hediet.vscode-drawio.resizeImages": null,
   "hediet.vscode-drawio.appearance": "automatic",
-  "claudeCode.preferredLocation": "panel"
+  "claudeCode.preferredLocation": "panel",
 }