From fe2727c45b7c6660f128f98c61fc704320536a11 Mon Sep 17 00:00:00 2001
From: Ilya Savitsky <ilya.savitsky@codethink.co.uk>
Date: Mon, 17 Feb 2025 15:17:47 +0000
Subject: [PATCH] tandoor_recipes: use static user and group instead of
 DynamicUser

Signed-off-by: Ilya Savitsky <ilya.savitsky@codethink.co.uk>
---
 .../modules/services/misc/tandoor-recipes.nix | 28 +++++++++++++++++--
 1 file changed, 25 insertions(+), 3 deletions(-)

diff --git a/nixos/modules/services/misc/tandoor-recipes.nix b/nixos/modules/services/misc/tandoor-recipes.nix
index 3355e4ab98e0..371a1ee6a7e8 100644
--- a/nixos/modules/services/misc/tandoor-recipes.nix
+++ b/nixos/modules/services/misc/tandoor-recipes.nix
@@ -75,10 +75,33 @@ in
       };
     };
 
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = "tandoor_recipes";
+      description = "User account under which Tandoor runs.";
+    };
+
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = "tandoor_recipes";
+      description = "Group under which Tandoor runs.";
+    };
+
     package = lib.mkPackageOption pkgs "tandoor-recipes" { };
   };
 
   config = lib.mkIf cfg.enable {
+    users.users = lib.mkIf (cfg.user == "tandoor_recipes") {
+      tandoor-recipes = {
+        inherit (cfg) group;
+        isSystemUser = true;
+      };
+    };
+
+    users.groups = lib.mkIf (cfg.group == "tandoor_recipes") {
+      tandoor-recipes = { };
+    };
+
     systemd.services.tandoor-recipes = {
       description = "Tandoor Recipes server";
 
@@ -88,9 +111,8 @@ in
         '';
         Restart = "on-failure";
 
-        User = "tandoor_recipes";
-        Group = "tandoor_recipes";
-        DynamicUser = true;
+        User = cfg.user;
+        Group = cfg.group;
         StateDirectory = "tandoor-recipes";
         WorkingDirectory = env.MEDIA_ROOT;
         RuntimeDirectory = "tandoor-recipes";