diff --git a/services/traccar.nix b/services/traccar.nix index 4c43aa2..0019cc6 100644 --- a/services/traccar.nix +++ b/services/traccar.nix @@ -6,10 +6,10 @@ { imports = [ (lib.serviceMountWithZpool "traccar" service_configs.zpool_ssds [ - "/var/lib/private/traccar" + "/var/lib/traccar" ]) (lib.serviceFilePerms "traccar" [ - "Z /var/lib/private/traccar 0700 root root" + "Z /var/lib/traccar 0700 traccar traccar" ]) (lib.mkCaddyReverseProxy { subdomain = "traccar"; @@ -17,11 +17,38 @@ }) ]; + users.users.traccar = { + isSystemUser = true; + group = "traccar"; + home = "/var/lib/traccar"; + description = "Traccar GPS Tracking"; + }; + users.groups.traccar = { }; + + # PostgreSQL database (auto-created, peer auth via Unix socket) + services.postgresql = { + ensureDatabases = [ "traccar" ]; + ensureUsers = [ + { + name = "traccar"; + ensureDBOwnership = true; + } + ]; + }; + services.traccar = { enable = true; settings = { web.port = toString service_configs.ports.private.traccar_web.port; + # PostgreSQL via Unix socket (peer auth, junixsocket is bundled) + database = { + driver = "org.postgresql.Driver"; + url = "jdbc:postgresql:///traccar?socketFactory=org.newsclub.net.unix.AFUNIXSocketFactory$FactoryArg&socketFactoryArg=${service_configs.postgres.socket}/.s.PGSQL.5432"; + user = "traccar"; + password = ""; + }; + # Only enable OsmAnd protocol (phone app). Prevents Traccar from # opening 200+ default protocol ports that conflict with other services. protocols.enable = "osmand"; @@ -29,6 +56,17 @@ }; }; + # Disable DynamicUser so we can use peer auth with PostgreSQL + systemd.services.traccar = { + after = [ "postgresql.service" ]; + requires = [ "postgresql.service" ]; + serviceConfig = { + DynamicUser = lib.mkForce false; + User = "traccar"; + Group = "traccar"; + }; + }; + # OsmAnd tracking port must be reachable from the internet for the phone app networking.firewall.allowedTCPPorts = [ service_configs.ports.public.traccar_tracking.port