Create system user for specimen service, and allow it to read name secret

Signed-off-by: Mel <einebeere@gmail.com>

2 files changed, 24 insertions, 1 deletions

diff --git a/application/module.nix b/application/module.nix
index 78ac546..3689996 100644
--- a/application/module.nix
+++ b/application/module.nix
@@ -28,6 +28,18 @@ in
       default = self.packages.${system}.default;
     };
 
+    user = mkOption {
+      type = types.nonEmptyStr;
+      default = "specimen";
+      description = "user under which specimen will run.";
+    };
+
+    group = mkOption {
+      type = types.nonEmptyStr;
+      default = "specimen";
+      description = "group under which specimen will run.";
+    };
+
     port = mkOption {
       type = types.port;
       default = 4444;
@@ -55,6 +67,13 @@ in
   config = mkIf cfg.enable {
     networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
 
+    users.users.${cfg.user} = {
+      description = "specimen user";
+      group = cfg.group;
+      isSystemUser = true;
+    };
+    users.groups.${cfg.group} = { };
+
     systemd.services.specimen = {
       description = "specimen application service";
       wantedBy = [ "multi-user.target" ];
@@ -62,7 +81,8 @@ in
       after = [ "network.target" ];
 
       serviceConfig = {
-        DynamicUser = true;
+        User = cfg.user;
+        Group = cfg.user;
         Type = "exec";
         Restart = "always";
         ExecStart = "${cfg.package}/bin/specimen -address ${cfg.listenAddress} -port ${toString cfg.port} -name ${cfg.namePath}";
diff --git a/configuration/specimen.nix b/configuration/specimen.nix
index a20d4ab..53732b9 100644
--- a/configuration/specimen.nix
+++ b/configuration/specimen.nix
@@ -3,6 +3,9 @@
 {
   age.secrets.name = {
     file = ../secrets/name.age;
+    owner = "specimen";
+    group = "specimen";
+    mode = "440";
   };
 
   services.specimen = {