ddns-updater: disable DynamicUser to fix secret perms

2026-04-09 20:47:04 -04:00
parent ce1c335230
commit 100999734b
2 changed files with 15 additions and 0 deletions
--- a/modules/age-secrets.nix
+++ b/modules/age-secrets.nix
@@ -58,6 +58,8 @@
    ddns-updater-config = {
      file = ../secrets/ddns-updater-config.age;
      mode = "0400";
      owner = "ddns-updater";
      group = "ddns-updater";
    };
    jellyfin-api-key = {
--- a/services/ddns-updater.nix
+++ b/services/ddns-updater.nix
@@ -1,5 +1,6 @@
 {
  config,
  lib,
  ...
 }:
 {
@@ -11,4 +12,16 @@
      CONFIG_FILEPATH = config.age.secrets.ddns-updater-config.path;
    };
  };
  users.users.ddns-updater = {
    isSystemUser = true;
    group = "ddns-updater";
  };
  users.groups.ddns-updater = { };
  systemd.service.ddns-updater.serviceConfig = {
    DynamicUser = lib.mkForce false;
    User = "ddns-updater";
    Group = "ddns-updater";
  };
 }