nixos/syncthing: disallow relative paths

Relative paths are interpreted relative to the working directory, which is currently unset and thus defaults to `/`. However we want to change the working directory in a future release such that relative paths are interpreted relative to `/var/lib/syncthing`.
2022-11-01 17:33:35 -07:00 · 2022-11-01 17:33:35 -07:00 · 257ec177c8
commit 257ec177c8
parent 12e460cb9e
3 changed files with 26 additions and 2 deletions
--- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
@ -993,6 +993,16 @@ signald -d /var/lib/signald/db \
          longer accepted.
        </para>
      </listitem>
+      <listitem>
+        <para>
+          The Syncthing service now only allows absolute paths—starting
+          with <literal>/</literal> or <literal>~/</literal>—for
+          <literal>services.syncthing.folders.&lt;name&gt;.path</literal>.
+          In a future release other paths will be allowed again and
+          interpreted relative to
+          <literal>services.syncthing.dataDir</literal>.
+        </para>
+      </listitem>
    </itemizedlist>
  </section>
  <section xml:id="sec-release-22.11-notable-changes">
--- a/nixos/doc/manual/release-notes/rl-2211.section.md
+++ b/nixos/doc/manual/release-notes/rl-2211.section.md
@ -307,6 +307,11 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
  apply patches. This means that your hashes are out-of-date and the (previously required) attributes `name` and `version`
  are no longer accepted.

+- The Syncthing service now only allows absolute paths---starting with `/` or
+  `~/`---for `services.syncthing.folders.<name>.path`.
+  In a future release other paths will be allowed again and interpreted
+  relative to `services.syncthing.dataDir`.
+
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

 ## Other Notable Changes {#sec-release-22.11-notable-changes}
--- a/nixos/modules/services/networking/syncthing.nix
+++ b/nixos/modules/services/networking/syncthing.nix
@ -212,10 +212,18 @@ in {
            };

            path = mkOption {
-              type = types.str;
+              # TODO for release 23.05: allow relative paths again and set
+              # working directory to cfg.dataDir
+              type = types.str // {
+                check = x: types.str.check x && (substring 0 1 x == "/" || substring 0 2 x == "~/");
+                description = types.str.description + " starting with / or ~/";
+              };
              default = name;
              description = lib.mdDoc ''
                The path to the folder which should be shared.
+                Only absolute paths (starting with `/`) and paths relative to
+                the [user](#opt-services.syncthing.user)'s home directory
+                (starting with `~/`) are allowed.
              '';
            };

@ -405,7 +413,8 @@ in {
        example = "yourUser";
        description = mdDoc ''
          The user to run Syncthing as.
-          By default, a user named `${defaultUser}` will be created.
+          By default, a user named `${defaultUser}` will be created whose home
+          directory is [dataDir](#opt-services.syncthing.dataDir).
        '';
      };