knot: drop dynamic user

This makes it hard to include secret files. Also using tools like keymgr becomes harder.
author: Jörg Thalheim <joerg@thalheim.io> 2020-02-12 16:34:10 +0000
committer: Jörg Thalheim <joerg@thalheim.io> 2020-02-12 16:34:10 +0000
commit: 88029bce39bd485fc07f1b2aa111c3ee9d12e684 (patch)
tree: 6750720e9c89b472f9df93d1ab03fcda0d12ecff /nixos/modules
parent: 6adc09ed308e088481728c7f25ecabf609764254 (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/knot.nix b/nixos/modules/services/networking/knot.nix
index 47364ecb8464..6d0bb23846fb 100644
--- a/nixos/modules/services/networking/knot.nix
+++ b/nixos/modules/services/networking/knot.nix
@@ -65,6 +65,13 @@ in {
   };
 
   config = mkIf config.services.knot.enable {
+    users.users.knot = {
+      isSystemUser = true;
+      group = "knot";
+      description = "Knot daemon user";
+    };
+
+    users.groups.knot.gid = null;
     systemd.services.knot = {
       unitConfig.Documentation = "man:knotd(8) man:knot.conf(5) man:knotc(8) https://www.knot-dns.cz/docs/${cfg.package.version}/html/";
       description = cfg.package.meta.description;
@@ -79,7 +86,7 @@ in {
         CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETPCAP";
         AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETPCAP";
         NoNewPrivileges = true;
-        DynamicUser = "yes";
+        User = "knot";
         RuntimeDirectory = "knot";
         StateDirectory = "knot";
         StateDirectoryMode = "0700";
author	Jörg Thalheim <joerg@thalheim.io>	2020-02-12 16:34:10 +0000
committer	Jörg Thalheim <joerg@thalheim.io>	2020-02-12 16:34:10 +0000
commit	88029bce39bd485fc07f1b2aa111c3ee9d12e684 (patch)
tree	6750720e9c89b472f9df93d1ab03fcda0d12ecff /nixos/modules
parent	6adc09ed308e088481728c7f25ecabf609764254 (diff)