From 100999734ba16f3b4cc0f3b4e84a331e9fabae18 Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Thu, 9 Apr 2026 20:47:04 -0400
Subject: [PATCH] ddns-updater: disable DynamicUser to fix secret perms

---
 modules/age-secrets.nix   |  2 ++
 services/ddns-updater.nix | 13 +++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/modules/age-secrets.nix b/modules/age-secrets.nix
index cd43825..b38ba82 100644
--- a/modules/age-secrets.nix
+++ b/modules/age-secrets.nix
@@ -58,6 +58,8 @@
     ddns-updater-config = {
       file = ../secrets/ddns-updater-config.age;
       mode = "0400";
+      owner = "ddns-updater";
+      group = "ddns-updater";
     };
 
     jellyfin-api-key = {
diff --git a/services/ddns-updater.nix b/services/ddns-updater.nix
index 9b145c9..aba9402 100644
--- a/services/ddns-updater.nix
+++ b/services/ddns-updater.nix
@@ -1,5 +1,6 @@
 {
   config,
+  lib,
   ...
 }:
 {
@@ -11,4 +12,16 @@
       CONFIG_FILEPATH = config.age.secrets.ddns-updater-config.path;
     };
   };
+
+  users.users.ddns-updater = {
+    isSystemUser = true;
+    group = "ddns-updater";
+  };
+  users.groups.ddns-updater = { };
+
+  systemd.service.ddns-updater.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = "ddns-updater";
+    Group = "ddns-updater";
+  };
 }