lnl: update fetch-nixpkgs

1 files changed, 6 insertions, 2 deletions

diff --git a/modules/examples/lnl.nix b/modules/examples/lnl.nix
index 5ca0ad0..0257afb 100644
--- a/modules/examples/lnl.nix
+++ b/modules/examples/lnl.nix
@@ -67,11 +67,11 @@
   services.skhd.enable = true;
 
   security.sandbox.profiles.fetch-nixpkgs-updates.closure = [ pkgs.cacert pkgs.git ];
-  security.sandbox.profiles.fetch-nixpkgs-updates.writablePaths = [ "/src/nixpkgs" ];
+  security.sandbox.profiles.fetch-nixpkgs-updates.writablePaths = [ (toString <nixpkgs-trunk>) ];
   security.sandbox.profiles.fetch-nixpkgs-updates.allowNetworking = true;
 
   launchd.user.agents.fetch-nixpkgs-updates = {
-    command = "/usr/bin/sandbox-exec -f ${config.security.sandbox.profiles.fetch-nixpkgs-updates.profile} ${pkgs.git}/bin/git -C /src/nixpkgs fetch origin master";
+    command = "/usr/bin/sandbox-exec -f ${config.security.sandbox.profiles.fetch-nixpkgs-updates.profile} ${pkgs.git}/bin/git -C ${toString <nixpkgs-trunk>} fetch origin master";
     environment.HOME = "";
     environment.NIX_SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
     serviceConfig.KeepAlive = false;
@@ -140,6 +140,10 @@
     (allow file-write*
            (subpath "/nix/var/nix/gcroots/per-user")
            (subpath "/nix/var/nix/profiles/per-user"))
+
+    (allow process-exec
+          (literal "/bin/ps")
+          (with no-sandbox))
   '';
 
   # programs.vim.enable = true;