diff options
author | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-06-01 18:39:26 +0200 |
---|---|---|
committer | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-06-01 18:42:27 +0200 |
commit | 16524073ad3d386a44f3d42507cb7630c6a6ca47 (patch) | |
tree | 411dce32df747c817dff57297933e9659629d0b5 /system | |
parent | fix(treewide): stop using none-existent etebase user and group (diff) | |
download | nixos-server-16524073ad3d386a44f3d42507cb7630c6a6ca47.zip |
fix(nix-sync): Ensure that the service can write to all needed paths
Previously, the generated service _could_ write to the directory, but wanted to create the directory, if it was absent. Creating this directory, requires to be able to write in the parent directory. This is fixed, by ensuring that the parent directories are included.
Diffstat (limited to '')
-rw-r--r-- | system/services/nix-sync/default.nix | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/system/services/nix-sync/default.nix b/system/services/nix-sync/default.nix index 99d1372..082a8f0 100644 --- a/system/services/nix-sync/default.nix +++ b/system/services/nix-sync/default.nix @@ -5,6 +5,7 @@ ... }: let cfg = config.services.nix-sync; + esa = lib.strings.escapeShellArg; mkTimer = name: repo: { description = "Nix sync ${name} timer"; @@ -19,9 +20,15 @@ parents = path: let split_path = builtins.split "/" path; filename = builtins.elemAt split_path (builtins.length split_path - 1); + path_build = + lib.strings.removeSuffix "/" (builtins.replaceStrings [filename] [""] path); + final_path = + if filename == "" + then parents path_build + else path_build; in - lib.strings.removeSuffix "/" (builtins.replaceStrings [filename] [""] path); - esa = lib.strings.escapeShellArg; + final_path; + mkUnit = name: repo: let optionalPathSeparator = if lib.strings.hasPrefix "/" repo.path @@ -115,8 +122,8 @@ # Security NoNewPrivileges = true; # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html) - ReadWritePaths = ["${esa (parents repo.path)}" "-${esa repoCachePath}" "-${esa cfg.cachePath}"]; - ReadOnlyPaths = ["/nix"]; + ReadWritePaths = ["${esa (parents repo.path)}" "-${esa (parents repoCachePath)}" "-${esa cfg.cachePath}"]; + ReadOnlyPaths = ["/nix"]; # TODO: Should be irrelevant, as we have ProtectSystem=Strict <2024-06-01> ProtectSystem = "strict"; ProtectHome = true; PrivateTmp = true; |