summary refs log tree commit diff stats
path: root/system/services
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--system/services/nix-sync/default.nix7
1 files changed, 6 insertions, 1 deletions
diff --git a/system/services/nix-sync/default.nix b/system/services/nix-sync/default.nix
index ea6d3cd..470f3f9 100644
--- a/system/services/nix-sync/default.nix
+++ b/system/services/nix-sync/default.nix
@@ -8,6 +8,11 @@
 
   mkUnit = name: repo: let
     esa = lib.strings.escapeShellArg;
+    parents = path: let
+      split_path = builtins.split "/" path;
+      filename = builtins.elemAt split_path (builtins.length split_path - 1);
+    in
+      lib.strings.removeSuffix "/" (builtins.replaceStrings [filename] [""] path);
     optionalPathSeparator =
       if lib.strings.hasPrefix "/" repo.path
       then ""
@@ -81,7 +86,7 @@
       # Security
       NoNewPrivileges = true;
       # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html)
-      ReadWritePaths = ["/etc/nginx/websites" "-${esa repoCachePath}" "-${esa cfg.cachePath}"];
+      ReadWritePaths = ["${esa (parents repo.path)}" "-${esa repoCachePath}" "-${esa cfg.cachePath}"];
       ReadOnlyPaths = ["/nix"];
       ProtectSystem = "strict";
       ProtectHome = true;