Create users for sudo enabled services

1 files changed, 39 insertions, 38 deletions

diff --git a/modules/packages/redpanda-connect/module.nix b/modules/packages/redpanda-connect/module.nix

index 8060cd4..ec82edf 100644
--- a/modules/packages/redpanda-connect/module.nix
+++ b/modules/packages/redpanda-connect/module.nix
@@ -31,44 +31,33 @@ in
     };
   };
 
-  config = lib.mkIf cfg.enable {
-    systemd.services = builtins.listToAttrs (
-      lib.mapAttrsToList (name: pipeline: {
-        name = "redpanda-connect-${name}";
-        value = {
-          wantedBy = [ "multi-user.target" ];
-          serviceConfig = {
-            Type = "simple";
-            ExecStart =
-              let
-                configFile = pkgs.writeText "redpanda-connect-${name}.json" (builtins.toJSON pipeline.config);
-              in
-              "${cfg.package}/bin/redpanda-connect run ${configFile}";
-            Restart = "always";
-            RestartSec = "5";
-            DynamicUser = !pipeline.allowSudo;
-            User = if pipeline.allowSudo then "redpanda-connect-${name}" else null;
+  config = lib.mkIf cfg.enable (
+    let
+      sudoEnabledServices = builtins.filter (pipeline: pipeline.value.allowSudo) (lib.attrsToList cfg.pipelines);
+    in
+    {
+      systemd.services = builtins.listToAttrs (
+        lib.mapAttrsToList (name: pipeline: {
+          name = "redpanda-connect-${name}";
+          value = {
+            wantedBy = [ "multi-user.target" ];
+            serviceConfig = {
+              Type = "simple";
+              ExecStart =
+                let
+                  configFile = pkgs.writeText "redpanda-connect-${name}.json" (builtins.toJSON pipeline.config);
+                in
+                "${cfg.package}/bin/redpanda-connect run ${configFile}";
+              Restart = "always";
+              RestartSec = "5";
+              DynamicUser = !pipeline.allowSudo;
+              User = if pipeline.allowSudo then "redpanda-connect-${name}" else null;
+            };
           };
-        };
-      }) cfg.pipelines
-    );
-
-    # Allow sudo access to allowed services:
-    #security.polkit.extraConfig = ''
-    #  polkit.addRule(function(action, subject) {
-    #    if (action.id == "org.freedesktop.systemd1.manage-units" &&
-    #        action.lookup("unit").startsWith("botcore.") &&
-    #        subject.user == "botcore") {
-    #      return polkit.Result.YES;
-    #    }
-    #  });
-    #'';
+        }) cfg.pipelines
+      );
 
-    security.polkit.extraConfig =
-      let
-        allowedServices = builtins.filter (pipeline: pipeline.value.allowSudo) (lib.attrsToList cfg.pipelines);
-      in
-      builtins.concatStringsSep "\n" (
+      security.polkit.extraConfig = builtins.concatStringsSep "\n" (
         builtins.map (value: ''
           polkit.addRule(function(action, subject) {
             if (action.id == "org.freedesktop.systemd1.manage-units" &&
@@ -76,7 +65,19 @@ in
               return polkit.Result.YES;
             }
           });
-        '') allowedServices
+        '') sudoEnabledServices
       );
-  };
+      
+      users.users = builtins.listToAttrs (
+        lib.mapAttrsToList (name: pipeline: {
+          name = "redpanda-connect-${name}";
+          value = {
+            isSystemUser = true;
+            home = "/var/lib/redpanda-connect-${name}";
+            description = "Redpanda Connect pipeline ${name}";
+          };
+        }) sudoEnabledServices
+      );
+    }
+  );
 }