From 9805090d9ec5ee868c8b5aefe32430e7f66b8a00 Mon Sep 17 00:00:00 2001 From: Stephan Maka Date: Tue, 30 Apr 2019 22:50:26 +0200 Subject: [PATCH] homu: run under separate static user/group --- nixbld-etc-nixos/homu/nixos-module.nix | 30 ++++++++------------------ 1 file changed, 9 insertions(+), 21 deletions(-) diff --git a/nixbld-etc-nixos/homu/nixos-module.nix b/nixbld-etc-nixos/homu/nixos-module.nix index 22f2d70..5842caf 100644 --- a/nixbld-etc-nixos/homu/nixos-module.nix +++ b/nixbld-etc-nixos/homu/nixos-module.nix @@ -35,7 +35,7 @@ let )) ); - dbFile = homuConfig.db.file; + dbDir = dirOf homuConfig.db.file; in { @@ -45,14 +45,6 @@ in default = false; description = "Enable the bot"; }; - user = mkOption { - type = types.str; - default = "nobody"; - }; - group = mkOption { - type = types.str; - default = "nogroup"; - }; config = mkOption { description = "Structured data for config.toml"; type = with types; attrsOf unspecified; @@ -60,20 +52,16 @@ in }; config = mkIf cfg.enable { - systemd.services.homu-dbdir = { - description = "Homu bot database directory"; - serviceConfig = { - Type = "oneshot"; - ExecStart = [ - "${pkgs.coreutils}/bin/mkdir -p ${dirOf dbFile}" - "${pkgs.coreutils}/bin/chown -R ${cfg.user}:${cfg.group} ${dirOf dbFile}" - ]; - }; + users.users.homu = { + group = "homu"; + home = dbDir; + createHome = true; }; + users.groups.homu = {}; + systemd.services.homu = { description = "Homu bot"; wantedBy = [ "multi-user.target" ]; - requires = [ "homu-dbdir.service" ]; after = [ "network.target" ]; serviceConfig = { Type = "simple"; @@ -82,8 +70,8 @@ in Restart = "always"; RestartSec = "5sec"; - User = cfg.user; - Group = cfg.group; + User = "homu"; + Group = "homu"; }; }; };