From bebf6bdaeb680609eec283bd329a42184b69878c Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Sat, 3 Aug 2024 11:38:43 +0000
Subject: [PATCH] rsync-net: hardcode fewer paths

---
 hosts/modules/services/rsync-net/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hosts/modules/services/rsync-net/default.nix b/hosts/modules/services/rsync-net/default.nix
index 89d5de6e5..9046fa2b8 100644
--- a/hosts/modules/services/rsync-net/default.nix
+++ b/hosts/modules/services/rsync-net/default.nix
@@ -25,8 +25,8 @@ in
         list of directories to upload to rsync.net.
         note that this module does NOT add any encryption to the files (layer that yourself).
       '';
-      default = [
-        "/nix/persist/private"
+      default = lib.optionals config.sane.persist.enable [
+        config.sane.persist.stores."private".origin
       ];
     };
   };
@@ -55,7 +55,7 @@ in
       # hardening
       serviceConfig.CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" ];
       serviceConfig.ReadWritePaths = builtins.map (d: "${d}/zzz-rsync-net") cfg.dirs;
-      serviceConfig.ReadOnlyPaths = "/nix/persist/private";
+      serviceConfig.ReadOnlyPaths = cfg.dirs;
       serviceConfig.RestrictAddressFamilies = "AF_INET AF_INET6";
 
       serviceConfig.LockPersonality = true;