Fix(system/services/nix-sync): Add '/etc/nginx/websites' to kept dirs

author: Soispha <soispha@vhack.eu> 2023-07-04 18:29:22 +0200
committer: Soispha <soispha@vhack.eu> 2023-07-04 18:31:24 +0200
commit: 6a5b87447d3719a43dbefbbc6a75e853ee439cd2 (patch)
tree: bbc4fd4bcf28fe6d5f460031383ddcace8900566 /system
parent: Fix(system/services): Move acmeWebRoot back to /var/lib/acme (diff)
download: nixos-server-6a5b87447d3719a43dbefbbc6a75e853ee439cd2.tar.gz
nixos-server-6a5b87447d3719a43dbefbbc6a75e853ee439cd2.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/system/services/nix-sync/default.nix b/system/services/nix-sync/default.nix
index de51f0b..ed2c6ac 100644
--- a/system/services/nix-sync/default.nix
+++ b/system/services/nix-sync/default.nix
@@ -81,7 +81,7 @@
       # Security
       NoNewPrivileges = true;
       # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html)
-      ReadWritePaths = ["${esa repo.path}" "-${esa repoCachePath}"];
+      ReadWritePaths = ["/etc/nginx/websites" "-${esa repoCachePath}"];
       ReadOnlyPaths = ["/nix"];
       ProtectSystem = "strict";
       ProtectHome = true;
@@ -199,6 +199,10 @@ in {
         message = "Your cachePath ('${cfg.cachePath}') ends with a slash ('/'), please use: '${lib.strings.removeSuffix "/" cfg.cachePath}'.";
       }
     ];
+
+    # generate the websites directory, so systemd can mount it rw
+    environment.etc."nginx/websites/.keep".text = "keep this directory";
+
     systemd.services = services;
     users.users =
       if cfg.user == "nix-sync"
author	Soispha <soispha@vhack.eu>	2023-07-04 18:29:22 +0200
committer	Soispha <soispha@vhack.eu>	2023-07-04 18:31:24 +0200
commit	6a5b87447d3719a43dbefbbc6a75e853ee439cd2 (patch)
tree	bbc4fd4bcf28fe6d5f460031383ddcace8900566 /system
parent	Fix(system/services): Move acmeWebRoot back to /var/lib/acme (diff)
download	nixos-server-6a5b87447d3719a43dbefbbc6a75e853ee439cd2.tar.gz nixos-server-6a5b87447d3719a43dbefbbc6a75e853ee439cd2.zip