services/yt-dlp: fix service working directory

There is the `--paths` option for that purpose. It also eliminates the
workaround for creating the directory before starting the service for
newly-bootstrapped systems.

The several hardening options have also been corrected.

modules/home-manager/services/yt-dlp.nix

@@ -127,7 +127,6 @@ in {
         };
 
         Service = {
-          WorkingDirectory = cfg.archivePath;
           ExecStartPre = ''
             ${pkgs.bash}/bin/bash -c "${pkgs.coreutils}/bin/mkdir -p ${
               lib.escapeShellArg cfg.archivePath
@@ -141,7 +140,7 @@ in {
                 lib.concatStringsSep " " cfg.extraArgs
               } ${lib.concatStringsSep " " value.extraArgs} ${
                 lib.escapeShellArgs value.urls
-              }
+              } --paths ${lib.escapeShellArg cfg.archivePath}
             '';
           in "${archiveScript}/bin/${scriptName}";
         };

modules/nixos/services/yt-dlp.nix

@@ -119,19 +119,21 @@ in {
         documentation = [ "man:yt-dlp(1)" ];
         enable = true;
         path = [ cfg.package pkgs.coreutils ];
+        preStart = ''
+          mkdir -p ${lib.escapeShellArg cfg.archivePath}
+        '';
         script = ''
-          mkdir -p ${lib.escapeShellArg cfg.archivePath} \
+          yt-dlp ${lib.concatStringsSep " " cfg.extraArgs} ${
-          && yt-dlp ${lib.concatStringsSep " " cfg.extraArgs} ${
             lib.concatStringsSep " " value.extraArgs
-          } ${lib.escapeShellArgs value.urls}
+          } ${lib.escapeShellArgs value.urls} --paths ${cfg.archivePath}
         '';
         startAt = value.startAt;
         serviceConfig = {
           NoNewPrivileges = true;
           PrivateTmp = true;
-          ProtectControlGroup = true;
+          ProtectControlGroups = true;
           ProtectClock = true;
-          ProtectKernelModule = true;
+          ProtectKernelModules = true;
           ProtectKernelLogs = true;
         };
       }) cfg.jobs;