services/wezterm-mux-server: hardcode user and group

With DynamicUser directive, it should be easy to make this usable.
2025-02-07 18:19:09 +00:00 · 2023-10-06 13:48:12 +08:00 · 2023-10-06 13:48:12 +08:00 · 069723d38a
commit 069723d38a
parent 86d8878fab
1 changed files with 5 additions and 39 deletions
--- a/modules/nixos/services/wezterm-mux-server.nix
+++ b/modules/nixos/services/wezterm-mux-server.nix
@ -2,8 +2,6 @@
 let
  cfg = config.services.wezterm-mux-server;
  defaultUser = "wezterm";
 in
 {
  options.services.wezterm-mux-server = {
@ -28,43 +26,10 @@ in
      defaultText = "null";
      example = lib.literalExpression "./wezterm-mux-server.lua";
    };
    user = lib.mkOption {
      type = lib.types.str;
      default = defaultUser;
      defaultText = defaultUser;
      description = ''
        User account of the Wezterm mux server. It is recommended to change
        this with a dedicated user account intended to be accessed through SSH.
      '';
    };
    group = lib.mkOption {
      type = lib.types.str;
      default = defaultUser;
      defaultText = defaultUser;
      description = ''
        The group which the Wezterm mux server runs under. It is recommended to
        change this with a dedicated user group intended to be accessed through
        SSH.
      '';
    };
  };
  config = lib.mkIf cfg.enable {
-    users.users = lib.mkIf (cfg.user == defaultUser) {
+    environment.systemPackages = [ cfg.package ];
      "${defaultUser}" = {
        description = "Wezterm mux service";
        home = "/home/wezterm";
        useDefaultShell = true;
        group = cfg.group;
        isSystemUser = true;
      };
    };
    users.groups = lib.mkIf (cfg.group == defaultUser) {
      "${defaultUser}" = { };
    };
    systemd.services.wezterm-mux-server = {
      description = "Wezterm mux server";
@ -74,8 +39,9 @@ in
      # Give it some tough love.
      serviceConfig = {
-        User = cfg.user;
+        User = "wezterm";
-        Group = cfg.group;
+        Group = "wezterm";
        DynamicUser = true;
        LockPersonality = true;
        NoNewPrivileges = true;
@ -95,7 +61,7 @@ in
        StateDirectory = "wezterm";
        # Restricting what capabilities this service has.
-        CapabilityBoundingSet = [ "" ];
+        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
        # Restrict what address families this service can interact with.