diff options
author | Soispha <soispha@vhack.eu> | 2023-07-04 18:29:22 +0200 |
---|---|---|
committer | Soispha <soispha@vhack.eu> | 2023-07-04 18:31:24 +0200 |
commit | 6a5b87447d3719a43dbefbbc6a75e853ee439cd2 (patch) | |
tree | bbc4fd4bcf28fe6d5f460031383ddcace8900566 /system/services/nix-sync | |
parent | Fix(system/services): Move acmeWebRoot back to /var/lib/acme (diff) | |
download | nixos-server-6a5b87447d3719a43dbefbbc6a75e853ee439cd2.tar.gz nixos-server-6a5b87447d3719a43dbefbbc6a75e853ee439cd2.zip |
Fix(system/services/nix-sync): Add '/etc/nginx/websites' to kept dirs
Diffstat (limited to 'system/services/nix-sync')
-rw-r--r-- | system/services/nix-sync/default.nix | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/system/services/nix-sync/default.nix b/system/services/nix-sync/default.nix index de51f0b..ed2c6ac 100644 --- a/system/services/nix-sync/default.nix +++ b/system/services/nix-sync/default.nix @@ -81,7 +81,7 @@ # Security NoNewPrivileges = true; # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html) - ReadWritePaths = ["${esa repo.path}" "-${esa repoCachePath}"]; + ReadWritePaths = ["/etc/nginx/websites" "-${esa repoCachePath}"]; ReadOnlyPaths = ["/nix"]; ProtectSystem = "strict"; ProtectHome = true; @@ -199,6 +199,10 @@ in { message = "Your cachePath ('${cfg.cachePath}') ends with a slash ('/'), please use: '${lib.strings.removeSuffix "/" cfg.cachePath}'."; } ]; + + # generate the websites directory, so systemd can mount it rw + environment.etc."nginx/websites/.keep".text = "keep this directory"; + systemd.services = services; users.users = if cfg.user == "nix-sync" |