summary refs log tree commit diff stats
diff options
context:
space:
mode:
-rw-r--r--system/services/nix-sync/default.nix17
1 files changed, 11 insertions, 6 deletions
diff --git a/system/services/nix-sync/default.nix b/system/services/nix-sync/default.nix
index d0ca114..e951119 100644
--- a/system/services/nix-sync/default.nix
+++ b/system/services/nix-sync/default.nix
@@ -8,9 +8,14 @@
 
   mkUnit = name: repo: let
     esa = lib.strings.escapeShellArg;
+    optionalPathSeparator =
+      if lib.strings.hasPrefix "/" repo.path
+      then ""
+      else "/";
+    repoCachePath = cfg.cachePath + optionalPathSeparator + repo.path;
     execStartScript = pkgs.writeScript "git-sync-exec" ''
       #! /usr/bin/env dash
-      cd ${esa (cfg.cachePath + "/" + repo.path)};
+      cd ${esa repoCachePath};
 
       while true; do
         origin="$(git rev-parse @{u})";
@@ -31,12 +36,12 @@
       done
     '';
     execStartPreScript = ''
-      if ! stat ${esa (cfg.cachePath + "/" + repo.path)}/.git; then
-          mkdir --parents ${esa cfg.cachePath}/${esa repo.path};
-          git clone ${esa repo.uri} ${esa (cfg.cachePath + "/" + repo.path)};
+      if ! stat ${esa repoCachePath}/.git; then
+          mkdir --parents ${esa repoCachePath};
+          git clone ${esa repo.uri} ${esa repoCachePath};
 
           out_paths=$(mktemp);
-          nix build ${esa (cfg.cachePath + "/" + repo.path)} --print-out-paths --experimental-features 'nix-command flakes' > "$out_paths";
+          nix build ${esa repoCachePath} --print-out-paths --experimental-features 'nix-command flakes' > "$out_paths";
           [ "$(wc -l < "$out_paths")" -gt 1 ] && (echo "To many out-paths"; exit 1)
           out_path="$(cat "$out_paths")";
           ln -s "$out_path" ${esa repo.path};
@@ -76,7 +81,7 @@
       # Security
       NoNewPrivileges = true;
       # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html)
-      ReadWritePaths = ["${repo.path}" "${cfg.cachePath}/${repo.path}"];
+      ReadWritePaths = ["${repo.path}" "${esa repoCachePath}"];
       ProtectSystem = "strict";
       ProtectHome = true;
       PrivateTmp = true;