From 8b812a34c9a4c039153e2a6a31e7af6bbbcfa52d Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Tue, 7 Nov 2023 20:53:15 +0800
Subject: [PATCH] services/archivebox: add dedicated service user and group

---
 modules/nixos/services/archivebox.nix | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/modules/nixos/services/archivebox.nix b/modules/nixos/services/archivebox.nix
index c8cff5f7..33209b64 100644
--- a/modules/nixos/services/archivebox.nix
+++ b/modules/nixos/services/archivebox.nix
@@ -58,6 +58,9 @@ let
         | archivebox add ${lib.concatStringsSep " " value.extraArgs}
         '';
         serviceConfig = {
+          User = "archivebox";
+          Group = "archivebox";
+
           LockPersonality = true;
           NoNewPrivileges = true;
           PrivateTmp = true;
@@ -158,6 +161,12 @@ in
     {
       systemd.services = lib.mapAttrs' mkJobService cfg.jobs;
       systemd.timers = lib.mapAttrs' mkTimerUnit cfg.jobs;
+
+      users.users.archivebox = {
+        group = config.users.groups.archivebox.name;
+        isNormalUser = true;
+        home = "/var/lib/archivebox";
+      };
     }
 
     (lib.mkIf cfg.webserver.enable {
@@ -167,6 +176,8 @@ in
         documentation = [ "https://docs.archivebox.io/" ];
         wantedBy = [ "graphical-session.target" ];
         serviceConfig = {
+          User = "archivebox";
+          Group = "archivebox";
           ExecStart = "${pkgs.archivebox}/bin/archivebox server localhost:${
             toString cfg.webserver.port
           }";