From fe21c0030c90de66f645cd0da8340ca0b479d8ca Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Fri, 29 Sep 2023 17:28:37 +0200
Subject: [PATCH] fix: make user for nixseparatedebuginfod to allow it to use
 the nix-daemon

---
 modules/config/users.nix         |  1 +
 modules/optional/dev/default.nix | 14 ++++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/modules/config/users.nix b/modules/config/users.nix
index aca86c1..3824d3b 100644
--- a/modules/config/users.nix
+++ b/modules/config/users.nix
@@ -25,5 +25,6 @@
     rtkit = uidGid 984;
     gitea = uidGid 983;
     redis-paperless = uidGid 982;
+    nixseparatedebuginfod = uidGid 981;
   };
 }
diff --git a/modules/optional/dev/default.nix b/modules/optional/dev/default.nix
index a1d295c..ce118d3 100644
--- a/modules/optional/dev/default.nix
+++ b/modules/optional/dev/default.nix
@@ -19,5 +19,19 @@ lib.optionalAttrs (!minimal) {
   nix.settings.extra-sandbox-paths = ["/var/tmp/agenix-rekey"];
 
   services.nixseparatedebuginfod.enable = true;
+  # We need a system-level user to be able to use nix.settings.allowed-users with it.
+  # TODO: remove once https://github.com/NixOS/nix/issues/9071 is fixed
+  systemd.services.nixseparatedebuginfod.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = "nixseparatedebuginfod";
+    Group = "nixseparatedebuginfod";
+  };
+  users = {
+    groups.nixseparatedebuginfod = {};
+    users.nixseparatedebuginfod = {
+      description = "nixseparatedebuginfod user";
+      group = "nixseparatedebuginfod";
+    };
+  };
   nix.settings.allowed-users = ["nixseparatedebuginfod"];
 }