Fix(system/services/nix-sync): Generate root independent of path

author: Soispha <soispha@vhack.eu> 2023-07-04 21:37:47 +0200
committer: Soispha <soispha@vhack.eu> 2023-07-04 21:37:47 +0200
commit: a505c18cdb5e7de79ec0b3670d8c721804a6b3e6 (patch)
tree: 591bc34f2143e0c5f06761d8cb78687a1adfb195
parent: Fix(system/services/openssh): Set correct permissions on ssh dir (diff)
download: nixos-server-a505c18cdb5e7de79ec0b3670d8c721804a6b3e6.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/system/services/nix-sync/default.nix b/system/services/nix-sync/default.nix
index ea6d3cd..470f3f9 100644
--- a/system/services/nix-sync/default.nix
+++ b/system/services/nix-sync/default.nix
@@ -8,6 +8,11 @@
 
   mkUnit = name: repo: let
     esa = lib.strings.escapeShellArg;
+    parents = path: let
+      split_path = builtins.split "/" path;
+      filename = builtins.elemAt split_path (builtins.length split_path - 1);
+    in
+      lib.strings.removeSuffix "/" (builtins.replaceStrings [filename] [""] path);
     optionalPathSeparator =
       if lib.strings.hasPrefix "/" repo.path
       then ""
@@ -81,7 +86,7 @@
       # Security
       NoNewPrivileges = true;
       # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html)
-      ReadWritePaths = ["/etc/nginx/websites" "-${esa repoCachePath}" "-${esa cfg.cachePath}"];
+      ReadWritePaths = ["${esa (parents repo.path)}" "-${esa repoCachePath}" "-${esa cfg.cachePath}"];
       ReadOnlyPaths = ["/nix"];
       ProtectSystem = "strict";
       ProtectHome = true;
author	Soispha <soispha@vhack.eu>	2023-07-04 21:37:47 +0200
committer	Soispha <soispha@vhack.eu>	2023-07-04 21:37:47 +0200
commit	a505c18cdb5e7de79ec0b3670d8c721804a6b3e6 (patch)
tree	591bc34f2143e0c5f06761d8cb78687a1adfb195
parent	Fix(system/services/openssh): Set correct permissions on ssh dir (diff)
download	nixos-server-a505c18cdb5e7de79ec0b3670d8c721804a6b3e6.zip