From 9d0b8c8f6fba676f9ecf61705e569e59ec16b3af Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Mon, 1 Feb 2021 22:53:19 +0100
Subject: [PATCH] joinmarket-ob-watcher: use DynamicUser

DynamicUser simplifies services that don't need a persistent uid/gid,
like joinmarket-ob-watcher.

For existing installations the data dir migration to dynamic users
is automatically handled by systemd.
---
 modules/joinmarket-ob-watcher.nix | 20 +++-----------------
 1 file changed, 3 insertions(+), 17 deletions(-)

diff --git a/modules/joinmarket-ob-watcher.nix b/modules/joinmarket-ob-watcher.nix
index bf71e50..c56bb6c 100644
--- a/modules/joinmarket-ob-watcher.nix
+++ b/modules/joinmarket-ob-watcher.nix
@@ -46,16 +46,6 @@ in {
       default = "/var/lib/joinmarket-ob-watcher";
       description = "The data directory for JoinMarket orderbook watcher.";
     };
-    user = mkOption {
-      type = types.str;
-      default = "joinmarket-ob-watcher";
-      description = "The user as which to run JoinMarket orderbook watcher.";
-    };
-    group = mkOption {
-      type = types.str;
-      default = cfg.user;
-      description = "The group as which to run JoinMarket orderbook watcher.";
-    };
     # This option is only used by netns-isolation
     enforceTor = mkOption {
       readOnly = true;
@@ -73,10 +63,13 @@ in {
       wantedBy = [ "multi-user.target" ];
       requires = [ "tor.service" ];
       after = [ "tor.service" ];
+      # The service writes to HOME/.config/matplotlib
+      environment.HOME = cfg.dataDir;
       preStart = ''
         ln -snf ${configFile} ${cfg.dataDir}/joinmarket.cfg
       '';
       serviceConfig = nbLib.defaultHardening // rec {
+        DynamicUser = true;
         StateDirectory = "joinmarket-ob-watcher";
         StateDirectoryMode = "0770";
         WorkingDirectory = cfg.dataDir; # The service creates dir 'logs' in the working dir
@@ -84,16 +77,9 @@ in {
           ${nbPkgs.joinmarket}/bin/ob-watcher --datadir=${cfg.dataDir} \
             --host=${cfg.address} --port=${toString cfg.port}
         '';
-        User = cfg.user;
         Restart = "on-failure";
         RestartSec = "10s";
       } // nbLib.allowTor;
     };
-
-    users.users.${cfg.user} = {
-      group = cfg.group;
-      home = cfg.dataDir; # The service writes to HOME/.config/matplotlib
-    };
-    users.groups.${cfg.group} = {};
   };
 }