From a5d23c80aee2e93436dc2ee09f3710975958d2dc Mon Sep 17 00:00:00 2001
From: Mel <einebeere@gmail.com>
Date: Sun, 29 Dec 2024 22:57:11 +0100
Subject: Create system user for specimen service, and allow it to read name
 secret

Signed-off-by: Mel <einebeere@gmail.com>
---
 application/module.nix | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

(limited to 'application')

diff --git a/application/module.nix b/application/module.nix
index 78ac546..3689996 100644
--- a/application/module.nix
+++ b/application/module.nix
@@ -28,6 +28,18 @@ in
       default = self.packages.${system}.default;
     };
 
+    user = mkOption {
+      type = types.nonEmptyStr;
+      default = "specimen";
+      description = "user under which specimen will run.";
+    };
+
+    group = mkOption {
+      type = types.nonEmptyStr;
+      default = "specimen";
+      description = "group under which specimen will run.";
+    };
+
     port = mkOption {
       type = types.port;
       default = 4444;
@@ -55,6 +67,13 @@ in
   config = mkIf cfg.enable {
     networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
 
+    users.users.${cfg.user} = {
+      description = "specimen user";
+      group = cfg.group;
+      isSystemUser = true;
+    };
+    users.groups.${cfg.group} = { };
+
     systemd.services.specimen = {
       description = "specimen application service";
       wantedBy = [ "multi-user.target" ];
@@ -62,7 +81,8 @@ in
       after = [ "network.target" ];
 
       serviceConfig = {
-        DynamicUser = true;
+        User = cfg.user;
+        Group = cfg.user;
         Type = "exec";
         Restart = "always";
         ExecStart = "${cfg.package}/bin/specimen -address ${cfg.listenAddress} -port ${toString cfg.port} -name ${cfg.namePath}";
-- 
cgit 1.4.1