diff options
author | Soispha <soispha@vhack.eu> | 2023-07-04 14:21:30 +0200 |
---|---|---|
committer | Soispha <soispha@vhack.eu> | 2023-07-04 14:21:30 +0200 |
commit | e6b778b64a081f9bbbd18bff6b5c52a081c66475 (patch) | |
tree | 448944721afd3ffe4b1a268b000b5bf2aedcdda6 /system/services/nix-sync | |
parent | Refactor(system/services/nix-sync): Consolidate into repoCachePath (diff) | |
download | nixos-server-e6b778b64a081f9bbbd18bff6b5c52a081c66475.tar.gz nixos-server-e6b778b64a081f9bbbd18bff6b5c52a081c66475.zip |
Fix(system/services/nix-sync): Add some required paths to unit
Diffstat (limited to '')
-rw-r--r-- | system/services/nix-sync/default.nix | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/system/services/nix-sync/default.nix b/system/services/nix-sync/default.nix index e951119..07c621a 100644 --- a/system/services/nix-sync/default.nix +++ b/system/services/nix-sync/default.nix @@ -81,7 +81,8 @@ # Security NoNewPrivileges = true; # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html) - ReadWritePaths = ["${repo.path}" "${esa repoCachePath}"]; + ReadWritePaths = ["${esa repo.path}" "-${esa repoCachePath}"]; + ReadOnlyPaths = ["/nix"]; ProtectSystem = "strict"; ProtectHome = true; PrivateTmp = true; |