nixos/haproxy: Revive the haproxy user and group

Running haproxy with "DynamicUser = true" doesn't really work, since it prohibits specifying a TLS certificate bundle with limited permissions. This revives the haproxy user and group, but makes them dynamically allocated by NixOS, rather than statically allocated. It also adds options to specify which user and group haproxy runs as.
2020-03-11 19:52:37 +01:00 · 2020-03-11 19:52:37 +01:00 · bb7ad853fb
commit bb7ad853fb
parent 5c50087566
2 changed files with 27 additions and 3 deletions
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@ -133,7 +133,7 @@ in
      tcpcryptd = 93; # tcpcryptd uses a hard-coded uid. We patch it in Nixpkgs to match this choice.
      firebird = 95;
      #keys = 96; # unused
-      #haproxy = 97; # DynamicUser as of 2019-11-08
+      #haproxy = 97; # dynamically allocated as of 2020-03-11
      mongodb = 98;
      openldap = 99;
      #users = 100; # unused
@ -448,7 +448,7 @@ in
      #tcpcryptd = 93; # unused
      firebird = 95;
      keys = 96;
-      #haproxy = 97; # DynamicUser as of 2019-11-08
+      #haproxy = 97; # dynamically allocated as of 2020-03-11
      #mongodb = 98; # unused
      openldap = 99;
      munin = 102;
--- a/nixos/modules/services/networking/haproxy.nix
+++ b/nixos/modules/services/networking/haproxy.nix
@ -26,6 +26,18 @@ with lib;
        '';
      };

+      user = mkOption {
+        type = types.str;
+        default = "haproxy";
+        description = "User account under which haproxy runs.";
+      };
+
+      group = mkOption {
+        type = types.str;
+        default = "haproxy";
+        description = "Group account under which haproxy runs.";
+      };
+
      config = mkOption {
        type = types.nullOr types.lines;
        default = null;
@ -49,7 +61,8 @@ with lib;
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
-        DynamicUser = true;
+        User = cfg.user;
+        Group = cfg.group;
        Type = "notify";
        # when running the config test, don't be quiet so we can see what goes wrong
        ExecStartPre = "${pkgs.haproxy}/sbin/haproxy -c -f ${haproxyCfg}";
@ -60,5 +73,16 @@ with lib;
        AmbientCapabilities = "CAP_NET_BIND_SERVICE";
      };
    };
+
+    users.users = optionalAttrs (cfg.user == "haproxy") {
+      haproxy = {
+        group = cfg.group;
+        isSystemUser = true;
+      };
+    };
+
+    users.groups = optionalAttrs (cfg.group == "haproxy") {
+      haproxy = {};
+    };
  };
 }