summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorSoispha <soispha@vhack.eu>2023-07-04 14:21:30 +0200
committerSoispha <soispha@vhack.eu>2023-07-04 14:21:30 +0200
commite6b778b64a081f9bbbd18bff6b5c52a081c66475 (patch)
tree448944721afd3ffe4b1a268b000b5bf2aedcdda6
parentRefactor(system/services/nix-sync): Consolidate into repoCachePath (diff)
downloadnixos-server-e6b778b64a081f9bbbd18bff6b5c52a081c66475.tar.gz
nixos-server-e6b778b64a081f9bbbd18bff6b5c52a081c66475.zip
Fix(system/services/nix-sync): Add some required paths to unit
-rw-r--r--system/services/nix-sync/default.nix3
1 files changed, 2 insertions, 1 deletions
diff --git a/system/services/nix-sync/default.nix b/system/services/nix-sync/default.nix
index e951119..07c621a 100644
--- a/system/services/nix-sync/default.nix
+++ b/system/services/nix-sync/default.nix
@@ -81,7 +81,8 @@
       # Security
       NoNewPrivileges = true;
       # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html)
-      ReadWritePaths = ["${repo.path}" "${esa repoCachePath}"];
+      ReadWritePaths = ["${esa repo.path}" "-${esa repoCachePath}"];
+      ReadOnlyPaths = ["/nix"];
       ProtectSystem = "strict";
       ProtectHome = true;
       PrivateTmp = true;