From 16524073ad3d386a44f3d42507cb7630c6a6ca47 Mon Sep 17 00:00:00 2001
From: Benedikt Peetz <benedikt.peetz@b-peetz.de>
Date: Sat, 1 Jun 2024 18:39:26 +0200
Subject: fix(nix-sync): Ensure that the service can write to all needed paths

Previously, the generated service _could_ write to the directory, but
wanted to create the directory, if it was absent. Creating this
directory, requires to be able to write in the parent directory.
This is fixed, by ensuring that the parent directories are included.
---
 system/services/nix-sync/default.nix | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

(limited to 'system')

diff --git a/system/services/nix-sync/default.nix b/system/services/nix-sync/default.nix
index 99d1372..082a8f0 100644
--- a/system/services/nix-sync/default.nix
+++ b/system/services/nix-sync/default.nix
@@ -5,6 +5,7 @@
   ...
 }: let
   cfg = config.services.nix-sync;
+  esa = lib.strings.escapeShellArg;
 
   mkTimer = name: repo: {
     description = "Nix sync ${name} timer";
@@ -19,9 +20,15 @@
   parents = path: let
     split_path = builtins.split "/" path;
     filename = builtins.elemAt split_path (builtins.length split_path - 1);
+    path_build =
+      lib.strings.removeSuffix "/" (builtins.replaceStrings [filename] [""] path);
+    final_path =
+      if filename == ""
+      then parents path_build
+      else path_build;
   in
-    lib.strings.removeSuffix "/" (builtins.replaceStrings [filename] [""] path);
-  esa = lib.strings.escapeShellArg;
+    final_path;
+
   mkUnit = name: repo: let
     optionalPathSeparator =
       if lib.strings.hasPrefix "/" repo.path
@@ -115,8 +122,8 @@
       # Security
       NoNewPrivileges = true;
       # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html)
-      ReadWritePaths = ["${esa (parents repo.path)}" "-${esa repoCachePath}" "-${esa cfg.cachePath}"];
-      ReadOnlyPaths = ["/nix"];
+      ReadWritePaths = ["${esa (parents repo.path)}" "-${esa (parents repoCachePath)}" "-${esa cfg.cachePath}"];
+      ReadOnlyPaths = ["/nix"]; # TODO: Should be irrelevant, as we have ProtectSystem=Strict <2024-06-01>
       ProtectSystem = "strict";
       ProtectHome = true;
       PrivateTmp = true;
-- 
cgit 1.4.1