From 16524073ad3d386a44f3d42507cb7630c6a6ca47 Mon Sep 17 00:00:00 2001 From: Benedikt Peetz Date: Sat, 1 Jun 2024 18:39:26 +0200 Subject: fix(nix-sync): Ensure that the service can write to all needed paths Previously, the generated service _could_ write to the directory, but wanted to create the directory, if it was absent. Creating this directory, requires to be able to write in the parent directory. This is fixed, by ensuring that the parent directories are included. --- system/services/nix-sync/default.nix | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) (limited to 'system/services') diff --git a/system/services/nix-sync/default.nix b/system/services/nix-sync/default.nix index 99d1372..082a8f0 100644 --- a/system/services/nix-sync/default.nix +++ b/system/services/nix-sync/default.nix @@ -5,6 +5,7 @@ ... }: let cfg = config.services.nix-sync; + esa = lib.strings.escapeShellArg; mkTimer = name: repo: { description = "Nix sync ${name} timer"; @@ -19,9 +20,15 @@ parents = path: let split_path = builtins.split "/" path; filename = builtins.elemAt split_path (builtins.length split_path - 1); + path_build = + lib.strings.removeSuffix "/" (builtins.replaceStrings [filename] [""] path); + final_path = + if filename == "" + then parents path_build + else path_build; in - lib.strings.removeSuffix "/" (builtins.replaceStrings [filename] [""] path); - esa = lib.strings.escapeShellArg; + final_path; + mkUnit = name: repo: let optionalPathSeparator = if lib.strings.hasPrefix "/" repo.path @@ -115,8 +122,8 @@ # Security NoNewPrivileges = true; # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html) - ReadWritePaths = ["${esa (parents repo.path)}" "-${esa repoCachePath}" "-${esa cfg.cachePath}"]; - ReadOnlyPaths = ["/nix"]; + ReadWritePaths = ["${esa (parents repo.path)}" "-${esa (parents repoCachePath)}" "-${esa cfg.cachePath}"]; + ReadOnlyPaths = ["/nix"]; # TODO: Should be irrelevant, as we have ProtectSystem=Strict <2024-06-01> ProtectSystem = "strict"; ProtectHome = true; PrivateTmp = true; -- cgit 1.4.1