ddns-updater: disable DynamicUser to fix secret perms

2026-04-09 20:47:04 -04:00
parent ce1c335230
commit 100999734b
2 changed files with 15 additions and 0 deletions
--- a/modules/age-secrets.nix
+++ b/modules/age-secrets.nix
@@ -58,6 +58,8 @@
    ddns-updater-config = {
      file = ../secrets/ddns-updater-config.age;
      mode = "0400";
+      owner = "ddns-updater";
+      group = "ddns-updater";
    };

    jellyfin-api-key = {
--- a/services/ddns-updater.nix
+++ b/services/ddns-updater.nix
@@ -1,5 +1,6 @@
 {
  config,
+  lib,
  ...
 }:
 {
@@ -11,4 +12,16 @@
      CONFIG_FILEPATH = config.age.secrets.ddns-updater-config.path;
    };
  };
+
+  users.users.ddns-updater = {
+    isSystemUser = true;
+    group = "ddns-updater";
+  };
+  users.groups.ddns-updater = { };
+
+  systemd.service.ddns-updater.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = "ddns-updater";
+    Group = "ddns-updater";
+  };
 }