From 509c861529f85f3e2f42860950b04d59fcb80447 Mon Sep 17 00:00:00 2001
From: Drew Haven <drew.haven@gmail.com>
Date: Mon, 28 Apr 2025 15:57:16 -0700
Subject: [PATCH] [mcp] Reworks how system users are defined. [public-html]
 Adds system user for pushing updates.

---
 system/hosts/mcp/containers.nix            | 21 +-------
 system/hosts/mcp/containers/bookstack.nix  | 20 ++------
 system/hosts/mcp/containers/focalboard.nix | 19 ++-----
 system/hosts/mcp/containers/mariadb.nix    | 10 +---
 system/hosts/mcp/containers/offen.nix      |  5 +-
 system/hosts/mcp/containers/pocket-id.nix  | 16 +-----
 system/hosts/mcp/containers/user-ids.nix   | 37 --------------
 system/hosts/mcp/containers/users.nix      | 59 ++++++++++++++++++++++
 8 files changed, 71 insertions(+), 116 deletions(-)
 delete mode 100644 system/hosts/mcp/containers/user-ids.nix
 create mode 100644 system/hosts/mcp/containers/users.nix

diff --git a/system/hosts/mcp/containers.nix b/system/hosts/mcp/containers.nix
index a6dd8ad..9c6cc40 100644
--- a/system/hosts/mcp/containers.nix
+++ b/system/hosts/mcp/containers.nix
@@ -18,6 +18,7 @@
     ./containers/shared-postgres.nix
     ./containers/synapse.nix
     ./containers/traefik.nix
+    ./containers/users.nix
   ];
 
   # Enable common container config files in /etc/containers
@@ -44,26 +45,6 @@
     #podman-compose # start group of containers for dev
   ];
 
-  users.groups = {
-    git = { };
-    timetagger = { };
-  };
-  users.users = {
-    gitea = {
-      uid = 2001;
-      isSystemUser = true;
-      description = "System User for Gitea";
-      extraGroups = [ "git" ];
-      group = "git";
-    };
-    timetagger = {
-      uid = 2002;
-      isSystemUser = true;
-      description = "System User for TimeTagger";
-      group = "timetagger";
-    };
-  };
-
   virtualisation.oci-containers.backend = "podman";
   virtualisation.oci-containers.containers =
     let
diff --git a/system/hosts/mcp/containers/bookstack.nix b/system/hosts/mcp/containers/bookstack.nix
index 172d345..6fde8db 100644
--- a/system/hosts/mcp/containers/bookstack.nix
+++ b/system/hosts/mcp/containers/bookstack.nix
@@ -1,29 +1,17 @@
 { config, ... }:
 let 
   inherit (import ./lib.nix config) mkContainer mkMariaDbContainer havenisms;
-  userIds = import ./user-ids.nix;
 in {
   imports = [
     (mkMariaDbContainer {
       name = "bookstack";
-      uid = userIds.bookstack.uid;
-      gid = userIds.bookstack.gid;
+      uid = config.users.users.bookstack.uid;
+      gid = config.users.groups.bookstack.gid;
       directory = "/tank/bookstack/db";
       passwordSecret = "bookstack_db";
     })
   ];
 
-  users.groups.bookstack = {
-    gid = userIds.bookstack.gid;
-  };
-
-  users.users.bookstack = {
-    uid = userIds.bookstack.uid;
-    isSystemUser = true;
-    description = "System User for Bookstack";
-    group = "bookstack";
-  };
-
   sops.secrets = {
     bookstack_app_key = {
       restartUnits = [ "podman-bookstack.service" ];
@@ -55,8 +43,8 @@ in {
     ];
     environment = {
       APP_URL = "https://bookstack.${havenisms}";
-      PID = toString userIds.bookstack.uid;
-      GID = toString userIds.bookstack.gid;
+      PID = toString config.users.users.bookstack.uid;
+      GID = toString config.users.groups.bookstack.gid;
       DB_HOST = "bookstack-mariadb";
       DB_USERNAME = "bookstack";
       DB_DATABASE = "bookstack";
diff --git a/system/hosts/mcp/containers/focalboard.nix b/system/hosts/mcp/containers/focalboard.nix
index 47be53a..3ba4728 100644
--- a/system/hosts/mcp/containers/focalboard.nix
+++ b/system/hosts/mcp/containers/focalboard.nix
@@ -1,30 +1,17 @@
 { config, ... }:
 let
   inherit (import ./lib.nix config) mkContainer mkPostgresContainer terakoda;
-  userIds = import ./user-ids.nix;
-  
 in {
   imports = [
     (mkPostgresContainer {
       name = "focalboard";
       directory = "/tank/focalboard/db";
-      uid = userIds.focalboard.uid;
-      gid = userIds.focalboard.gid;
+      uid = config.users.users.focalboard.uid;
+      gid = config.users.groups.focalboard.gid;
       passwordSecret = "focalboard/database";
     })
   ];
 
-  users.groups.focalboard = {
-    gid = userIds.focalboard.gid;
-  };
-
-  users.users.focalboard = {
-    uid = userIds.focalboard.uid;
-    isSystemUser = true;
-    description = "System User for Focalboard";
-    group = "focalboard";
-  };
-
   sops.secrets = {
     "focalboard/database" = {
       restartUnits = [ "podman-focalboard.service" "podman-focalboard-postgres.service" ];
@@ -63,7 +50,7 @@ in {
       domain = terakoda;
       dependsOn = [ "focalboard-postgres" ];
       port = 8000;
-      user = "${toString userIds.focalboard.uid}:${toString userIds.focalboard.gid}";
+      user = "${toString config.users.users.focalboard.name}:${config.users.groups.focalboard.name}";
       volumes = [
         "/tank/focalboard/data/files:/opt/focalboard/data/files"
         "${config.sops.templates."focalboard-config.json".path}:/opt/focalboard/config.json:ro"
diff --git a/system/hosts/mcp/containers/mariadb.nix b/system/hosts/mcp/containers/mariadb.nix
index 89f4e1e..7fe0af4 100644
--- a/system/hosts/mcp/containers/mariadb.nix
+++ b/system/hosts/mcp/containers/mariadb.nix
@@ -1,14 +1,6 @@
 # Common config for all mariadb containers
 { ... }:
-let
-  userIds = import ./user-ids.nix;
-in {
-  users = {
-    groups."mariadb" = {
-      gid = userIds.mariadb.gid;
-    };
-  };
-
+{
   sops.secrets."mariadb_root_password" = {
     restartUnits = [ "podman-mariadb.service" ];
     mode = "0440";
diff --git a/system/hosts/mcp/containers/offen.nix b/system/hosts/mcp/containers/offen.nix
index 34bc826..eef4ff6 100644
--- a/system/hosts/mcp/containers/offen.nix
+++ b/system/hosts/mcp/containers/offen.nix
@@ -1,10 +1,7 @@
 { config, ... }:
 let
   inherit (import ./lib.nix config) mkContainer terakoda;
-  userIds = import ./user-ids.nix;
 in {
-  users = userIds.mkUserAndGroup "offen" userIds.offen;
-
   sops = {
     secrets = {
       "offen/smtp-token" = {};
@@ -30,7 +27,7 @@ in {
     image = "offen/offen";
     hostName = "offen";
     domain = terakoda;
-    user = "${toString userIds.offen.uid}:${toString userIds.offen.gid}";
+    user = "offen:offen";
     port = 80;
     volumes = [
       "${config.sops.templates."offen.env".path}:/etc/offen/offen.env:ro"
diff --git a/system/hosts/mcp/containers/pocket-id.nix b/system/hosts/mcp/containers/pocket-id.nix
index 432c6a7..a31f3aa 100644
--- a/system/hosts/mcp/containers/pocket-id.nix
+++ b/system/hosts/mcp/containers/pocket-id.nix
@@ -1,7 +1,6 @@
 { config, ... }:
 let 
   inherit (import ./lib.nix config) mkContainer blazestar;
-  userIds = import ./user-ids.nix;
   # The default is to run on port 80, which the pocket-id user cannot bind to.
   # We need a different port to be able to serve traffic.
   # The following ports in the container are already taken:
@@ -11,17 +10,6 @@ let
   port = 8888;
 in
 {
-  users.groups.pocket-id = {
-    gid = userIds.pocket-id.gid;
-  };
-
-  users.users.pocket-id = {
-    uid = userIds.pocket-id.uid;
-    isSystemUser = true;
-    description = "System User for Pocket ID";
-    group = "pocket-id";
-  };
-
   virtualisation.oci-containers.containers.pocket-id = mkContainer {
     image = "ghcr.io/pocket-id/pocket-id";
     dependsOn = [];
@@ -45,8 +33,8 @@ in
       CADDY_PORT = toString port;
       # PORT = "3000"; # Frontend port
       # BACKEND_PORT = "8080"; # Backend port
-      PUID = toString userIds.pocket-id.uid;
-      PGID = toString userIds.pocket-id.gid;
+      PUID = toString config.users.users."pocket-id".uid;
+      PGID = toString config.users.groups."pocket-id".gid;
     };
   };
 }
diff --git a/system/hosts/mcp/containers/user-ids.nix b/system/hosts/mcp/containers/user-ids.nix
deleted file mode 100644
index 71b3a06..0000000
--- a/system/hosts/mcp/containers/user-ids.nix
+++ /dev/null
@@ -1,37 +0,0 @@
-{
-  gitea = 2001;
-  timetagger = 2002;
-  pocket-id = {
-    uid = 2003;
-    gid = 2003;
-  };
-  bookstack = {
-    uid = 2004;
-    gid = 2004;
-  };
-  mariadb = {
-    uid = 2005;
-    gid = 2005;
-  };
-  focalboard = {
-    uid = 2006;
-    gid = 2006;
-  };
-  offen = {
-    uid = 2007;
-    gid = 2007;
-  };
-
-  mkUserAndGroup = name: ids: {
-    groups."${name}" = {
-      gid = ids.gid;
-    };
-
-    users."${name}" = {
-      uid = ids.uid;
-      isSystemUser = true;
-      description = "System User for ${name}";
-      group = "${name}";
-    };
-  };
-}
diff --git a/system/hosts/mcp/containers/users.nix b/system/hosts/mcp/containers/users.nix
new file mode 100644
index 0000000..10646ce
--- /dev/null
+++ b/system/hosts/mcp/containers/users.nix
@@ -0,0 +1,59 @@
+{ pkgs, ... }: let
+  systemUsers = {
+    gitea = {
+      uid = 2001;
+      extraGroups = [ "git" ];
+    };
+    # timetagger = 2002;
+    pocket-id = 2003;
+    bookstack = 2004;
+    mariadb = 2005;
+    focalboard = 2006;
+    offen = 2007;
+    public-html = {
+      uid = 2008;
+      shell = "${pkgs.git}/bin/git-shell";
+    };
+  };
+
+  mkUser = name: value: let
+    uid =
+      if builtins.isInt value
+      then value
+      else value.uid;
+    shell =
+      if builtins.isAttrs value && builtins.hasAttr "shell" value
+      then value.shell
+      else null;
+    extraGroups = 
+      if builtins.isAttrs value && builtins.hasAttr "extraGroups" value
+      then value.extraGroups
+      else [];
+  in {
+    inherit uid shell extraGroups;
+    isSystemUser = true;
+    description = "System User for ${name}";
+    group = "${name}";
+  };
+  mkGroup = name: value: let
+    # 1. Value if int
+    # 2. "gid" if present
+    # 3. "uid"
+    gid =
+      if builtins.isInt value
+      then value
+      else if builtins.hasAttr "gid" value
+        then value.gid
+        else value.uid;
+  in {
+    inherit gid;
+  };
+in {
+  users.users = builtins.mapAttrs mkUser systemUsers;
+  users.groups = (builtins.mapAttrs mkGroup systemUsers) // {
+    # Legacy groups.
+    git = {
+      gid = 992;
+    };
+  };
+}