From c2450f04fb1b35b31980f8d8c05f42b5b51e1fa2 Mon Sep 17 00:00:00 2001
From: charludo <git@charlotteharludo.com>
Date: Mon, 9 Jun 2025 13:17:49 +0200
Subject: [PATCH] pinchflat: use a static user

---
 nixos/modules/services/misc/pinchflat.nix | 31 ++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/services/misc/pinchflat.nix b/nixos/modules/services/misc/pinchflat.nix
index 75c3bce69c21..a90c197b0bba 100644
--- a/nixos/modules/services/misc/pinchflat.nix
+++ b/nixos/modules/services/misc/pinchflat.nix
@@ -62,6 +62,22 @@ in
         description = "Log level for Pinchflat.";
       };
 
+      user = lib.mkOption {
+        type = lib.types.str;
+        default = "pinchflat";
+        description = ''
+          User account under which Pinchflat runs.
+        '';
+      };
+
+      group = lib.mkOption {
+        type = lib.types.str;
+        default = "pinchflat";
+        description = ''
+          Group under which Pinchflat runs.
+        '';
+      };
+
       extraConfig = mkOption {
         type =
           with types;
@@ -125,7 +141,9 @@ in
 
       serviceConfig = {
         Type = "simple";
-        DynamicUser = true;
+        User = cfg.user;
+        Group = cfg.group;
+
         StateDirectory = baseNameOf stateDir;
         Environment =
           [
@@ -151,6 +169,17 @@ in
       };
     };
 
+    users.users = lib.mkIf (cfg.user == "pinchflat") {
+      pinchflat = {
+        group = cfg.group;
+        isSystemUser = true;
+      };
+    };
+
+    users.groups = lib.mkIf (cfg.group == "pinchflat") {
+      pinchflat = { };
+    };
+
     networking.firewall = mkIf cfg.openFirewall {
       allowedTCPPorts = [ cfg.port ];
     };