fix(nix-sync): Ensure that the service can write to all needed paths

Previously, the generated service _could_ write to the directory, but
wanted to create the directory, if it was absent. Creating this
directory, requires to be able to write in the parent directory.
This is fixed, by ensuring that the parent directories are included.

1 files changed, 11 insertions, 4 deletions

diff --git a/system/services/nix-sync/default.nix b/system/services/nix-sync/default.nix
index 99d1372..082a8f0 100644
--- a/system/services/nix-sync/default.nix
+++ b/system/services/nix-sync/default.nix
@@ -5,6 +5,7 @@
   ...
 }: let
   cfg = config.services.nix-sync;
+  esa = lib.strings.escapeShellArg;
 
   mkTimer = name: repo: {
     description = "Nix sync ${name} timer";
@@ -19,9 +20,15 @@
   parents = path: let
     split_path = builtins.split "/" path;
     filename = builtins.elemAt split_path (builtins.length split_path - 1);
+    path_build =
+      lib.strings.removeSuffix "/" (builtins.replaceStrings [filename] [""] path);
+    final_path =
+      if filename == ""
+      then parents path_build
+      else path_build;
   in
-    lib.strings.removeSuffix "/" (builtins.replaceStrings [filename] [""] path);
-  esa = lib.strings.escapeShellArg;
+    final_path;
+
   mkUnit = name: repo: let
     optionalPathSeparator =
       if lib.strings.hasPrefix "/" repo.path
@@ -115,8 +122,8 @@
       # Security
       NoNewPrivileges = true;
       # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html)
-      ReadWritePaths = ["${esa (parents repo.path)}" "-${esa repoCachePath}" "-${esa cfg.cachePath}"];
-      ReadOnlyPaths = ["/nix"];
+      ReadWritePaths = ["${esa (parents repo.path)}" "-${esa (parents repoCachePath)}" "-${esa cfg.cachePath}"];
+      ReadOnlyPaths = ["/nix"]; # TODO: Should be irrelevant, as we have ProtectSystem=Strict <2024-06-01>
       ProtectSystem = "strict";
       ProtectHome = true;
       PrivateTmp = true;