foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-04-24 06:19:11 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

services/vouch-proxy: use system user for service

Browse Source 
This enables integration with secrets such as sops-nix instead of the
previous service config of being a dynamic user.
This commit is contained in:
Gabriel Arazas 2023-10-14 11:06:23 +08:00
parent d43708983a
commit 5657a5e023
No known key found for this signature in database
GPG Key ID: ADE0C41DAB221FCC
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
modules/nixos/services/vouch-proxy.nix
View File

@ -76,14 +76,12 @@ let
''; '';
script = "${lib.getExe' instance.package "vouch-proxy"} -config ${settingsFile'}"; script = "${lib.getExe' instance.package "vouch-proxy"} -config ${settingsFile'}";
serviceConfig = { serviceConfig = {
DynamicUser = true; User = config.users.users.vouch-proxy.name;
User = "vouch-proxy"; Group = config.users.groups.vouch-proxy.name;
Group = "vouch-proxy";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = 5; RestartSec = 5;
PrivateUsers = true;
PrivateTmp = true; PrivateTmp = true;
PrivateDevices = true; PrivateDevices = true;
@ -167,5 +165,13 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
systemd.services = lib.mapAttrs' mkVouchInstance cfg.instances; systemd.services = lib.mapAttrs' mkVouchInstance cfg.instances;
users.users.vouch-proxy = {
description = "Vouch Proxy user";
group = config.users.groups.vouch-proxy.name;
isSystemUser = true;
};
users.groups.vouch-proxy = { };
}; };
} }