From f5913101f08423e458092b1e0c1afe4142beeca3 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Tue, 29 Apr 2025 10:23:35 +0200
Subject: [PATCH] fix: run updns-client with new user

---
 modules/cloonar-assistant/updns/default.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/modules/cloonar-assistant/updns/default.nix b/modules/cloonar-assistant/updns/default.nix
index 8ea1bb4..d23c356 100644
--- a/modules/cloonar-assistant/updns/default.nix
+++ b/modules/cloonar-assistant/updns/default.nix
@@ -5,6 +5,12 @@
     jq
   ];
 
+  users.users.updns-client = {
+    isSystemUser = true;
+    group = "updns-client";
+  };
+  users.groups.updns-client = { };
+
   sops.secrets.updns-client = {
     owner = "updns-client";
     restartUnits = [ "updns-client.service" ];
@@ -63,6 +69,7 @@
 
   ### 5) Define the oneshot service
   systemd.services.updns-client = lib.mkIf config.cloonar-assistant.updns-client.enable {
+    user        = "updns-client";
     description = "Check external IP and notify API on change";
     after       = [ "network-online.target" ];
     wants       = [ "network-online.target" ];