From a505c18cdb5e7de79ec0b3670d8c721804a6b3e6 Mon Sep 17 00:00:00 2001
From: Soispha <soispha@vhack.eu>
Date: Tue, 4 Jul 2023 21:37:47 +0200
Subject: Fix(system/services/nix-sync): Generate root independent of path

---
 system/services/nix-sync/default.nix | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/system/services/nix-sync/default.nix b/system/services/nix-sync/default.nix
index ea6d3cd..470f3f9 100644
--- a/system/services/nix-sync/default.nix
+++ b/system/services/nix-sync/default.nix
@@ -8,6 +8,11 @@
 
   mkUnit = name: repo: let
     esa = lib.strings.escapeShellArg;
+    parents = path: let
+      split_path = builtins.split "/" path;
+      filename = builtins.elemAt split_path (builtins.length split_path - 1);
+    in
+      lib.strings.removeSuffix "/" (builtins.replaceStrings [filename] [""] path);
     optionalPathSeparator =
       if lib.strings.hasPrefix "/" repo.path
       then ""
@@ -81,7 +86,7 @@
       # Security
       NoNewPrivileges = true;
       # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html)
-      ReadWritePaths = ["/etc/nginx/websites" "-${esa repoCachePath}" "-${esa cfg.cachePath}"];
+      ReadWritePaths = ["${esa (parents repo.path)}" "-${esa repoCachePath}" "-${esa cfg.cachePath}"];
       ReadOnlyPaths = ["/nix"];
       ProtectSystem = "strict";
       ProtectHome = true;
-- 
cgit 1.4.1