diff options
| -rw-r--r-- | system/services/nix-sync/default.nix | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/system/services/nix-sync/default.nix b/system/services/nix-sync/default.nix index 99d1372..082a8f0 100644 --- a/system/services/nix-sync/default.nix +++ b/system/services/nix-sync/default.nix @@ -5,6 +5,7 @@ ... }: let cfg = config.services.nix-sync; + esa = lib.strings.escapeShellArg; mkTimer = name: repo: { description = "Nix sync ${name} timer"; @@ -19,9 +20,15 @@ parents = path: let split_path = builtins.split "/" path; filename = builtins.elemAt split_path (builtins.length split_path - 1); + path_build = + lib.strings.removeSuffix "/" (builtins.replaceStrings [filename] [""] path); + final_path = + if filename == "" + then parents path_build + else path_build; in - lib.strings.removeSuffix "/" (builtins.replaceStrings [filename] [""] path); - esa = lib.strings.escapeShellArg; + final_path; + mkUnit = name: repo: let optionalPathSeparator = if lib.strings.hasPrefix "/" repo.path @@ -115,8 +122,8 @@ # Security NoNewPrivileges = true; # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html) - ReadWritePaths = ["${esa (parents repo.path)}" "-${esa repoCachePath}" "-${esa cfg.cachePath}"]; - ReadOnlyPaths = ["/nix"]; + ReadWritePaths = ["${esa (parents repo.path)}" "-${esa (parents repoCachePath)}" "-${esa cfg.cachePath}"]; + ReadOnlyPaths = ["/nix"]; # TODO: Should be irrelevant, as we have ProtectSystem=Strict <2024-06-01> ProtectSystem = "strict"; ProtectHome = true; PrivateTmp = true; |