rsync-net: hardcode fewer paths

2024-08-03 11:38:43 +00:00
parent 04fc601c9c
commit bebf6bdaeb
1 changed files with 3 additions and 3 deletions
--- a/hosts/modules/services/rsync-net/default.nix
+++ b/hosts/modules/services/rsync-net/default.nix
@@ -25,8 +25,8 @@ in
        list of directories to upload to rsync.net.
        note that this module does NOT add any encryption to the files (layer that yourself).
      '';
-      default = [
-        "/nix/persist/private"
+      default = lib.optionals config.sane.persist.enable [
+        config.sane.persist.stores."private".origin
      ];
    };
  };
@@ -55,7 +55,7 @@ in
      # hardening
      serviceConfig.CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" ];
      serviceConfig.ReadWritePaths = builtins.map (d: "${d}/zzz-rsync-net") cfg.dirs;
-      serviceConfig.ReadOnlyPaths = "/nix/persist/private";
+      serviceConfig.ReadOnlyPaths = cfg.dirs;
      serviceConfig.RestrictAddressFamilies = "AF_INET AF_INET6";

      serviceConfig.LockPersonality = true;