From 5657a5e023d49288d85b02fc5270da33e6b84a66 Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Sat, 14 Oct 2023 11:06:23 +0800
Subject: [PATCH] services/vouch-proxy: use system user for service

This enables integration with secrets such as sops-nix instead of the
previous service config of being a dynamic user.
---
 modules/nixos/services/vouch-proxy.nix | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/modules/nixos/services/vouch-proxy.nix b/modules/nixos/services/vouch-proxy.nix
index b8a3d791..53215dee 100644
--- a/modules/nixos/services/vouch-proxy.nix
+++ b/modules/nixos/services/vouch-proxy.nix
@@ -76,14 +76,12 @@ let
         '';
       script = "${lib.getExe' instance.package "vouch-proxy"} -config ${settingsFile'}";
       serviceConfig = {
-        DynamicUser = true;
-        User = "vouch-proxy";
-        Group = "vouch-proxy";
+        User = config.users.users.vouch-proxy.name;
+        Group = config.users.groups.vouch-proxy.name;
 
         Restart = "on-failure";
         RestartSec = 5;
 
-        PrivateUsers = true;
         PrivateTmp = true;
         PrivateDevices = true;
 
@@ -167,5 +165,13 @@ in
 
   config = lib.mkIf cfg.enable {
     systemd.services = lib.mapAttrs' mkVouchInstance cfg.instances;
+
+    users.users.vouch-proxy = {
+      description = "Vouch Proxy user";
+      group = config.users.groups.vouch-proxy.name;
+      isSystemUser = true;
+    };
+
+    users.groups.vouch-proxy = { };
   };
 }