From b8e10afe1846548075136d953b7f01cf1fb0a45b Mon Sep 17 00:00:00 2001 From: nixbitcoin Date: Sun, 3 May 2020 17:31:50 +0200 Subject: [PATCH] recurring-donations: Run under recurring-donations user --- modules/recurring-donations.nix | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/modules/recurring-donations.nix b/modules/recurring-donations.nix index 03896ee..dcc61a6 100644 --- a/modules/recurring-donations.nix +++ b/modules/recurring-donations.nix @@ -78,6 +78,13 @@ in { }; config = mkIf cfg.enable { + users.users.recurring-donations = { + description = "recurring-donations User"; + group = "recurring-donations"; + extraGroups = [ "clightning" ]; + }; + users.groups.recurring-donations = {}; + systemd.services.recurring-donations = { description = "Run recurring-donations"; requires = [ "clightning.service" ]; @@ -85,9 +92,7 @@ in { path = with pkgs; [ nix-bitcoin.clightning curl torsocks sudo jq ]; serviceConfig = { ExecStart = "${pkgs.bash}/bin/bash ${recurring-donations-script}"; - # TODO: would be better if this was operator, but I don't get sudo - # working inside the shell script - User = "clightning"; + User = "recurring-donations"; Type = "oneshot"; } // nix-bitcoin-services.defaultHardening // nix-bitcoin-services.allowTor;