hswaw/customs: disable DynamicUser for dhcpd / checkinator

Change-Id: I9c7feccf8eb908bf3808afb2ffc5adac50d7abd9
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1455
Reviewed-by: q3k <q3k@hackerspace.pl>

hswaw/machines/customs.hackerspace.pl/checkinator-tracker.nix

@@ -24,7 +24,7 @@ let
   '';
   config = builtins.toFile "${name}-config.yaml" (pkgs.lib.generators.toYAML {} {
     # path to dhcpd lease file
-    LEASE_FILE = "/var/lib/dhcp/dhcpd.leases";
+    LEASE_FILE = "/var/lib/dhcpd4/dhcpd.leases";
 
     # timeout for old leases
     TIMEOUT = 1500;
@@ -51,7 +51,7 @@ in {
 
     serviceConfig.User = "${user}";
     serviceConfig.Type = "simple";
-      
+
     serviceConfig.ExecStartPre = [
       ''!${prepare}/bin/${name}-prepare''
     ];
@@ -61,6 +61,7 @@ in {
       ''!${pkgs.coreutils}/bin/rm -rf ${socket_dir}''
     ];
 
+    serviceConfig.DynamicUser = false;
   };
   environment.systemPackages = [ checkinator ];
 }

hswaw/machines/customs.hackerspace.pl/checkinator-web.nix

@@ -35,23 +35,23 @@ let
   config = builtins.toFile "${name}-config.yaml" (pkgs.lib.generators.toYAML {} {
     # local sqlite db for storing user and MAC
     DB = "/var/checkinator-web/at.db";
-    
+
     # debug option interpreted by flask app
     DEBUG = false;
-    
+
     # url to member wiki page
     # "${login}" string is replaced by member login (uid)
     WIKI_URL = "https://wiki.hackerspace.pl/people:\${login}:start";
-    
+
     CLAIMABLE_PREFIXES = [
       "10.8.0."
       "2a0d:eb00:4242:0:"
     ];
     CLAIMABLE_EXCLUDE = [ ];
-    
+
     SPACEAUTH_CONSUMER_KEY = "checkinator";
     SECRETS_FILE = "/mnt/secrets/checkinator-web/secrets.yaml";
-    
+
     SPECIAL_DEVICES = {
       kektops = [ "90:e6:ba:84" ];
       esps = [
@@ -64,9 +64,9 @@ let
         "52:54:00" # craptrap VMs
       ];
     };
-    
+
     PROXY_FIX = true;
-    
+
     GRPC_TLS_CERT_DIR = "/mnt/secrets/checkinator-web";
     GRPC_TLS_CA_CERT = "/mnt/secrets/checkinator-web/ca.pem";
     GRPC_TLS_ADDRESS = "[::1]:2847";
@@ -85,7 +85,7 @@ in {
 
     serviceConfig.User = "${user}";
     serviceConfig.Type = "simple";
-      
+
     environment = {
       CHECKINATOR_WEB_CONFIG=config;
     };
@@ -99,12 +99,14 @@ in {
         fi
       ''}"
     ];
-    serviceConfig.workingDirectory = checkinator;
+    serviceConfig.WorkingDirectory = checkinator;
     serviceConfig.ExecStart = "${python}/bin/gunicorn -b unix:${socket_dir}/web.sock at.webapp:app";
     serviceConfig.ExecStopPost = [
       ''!${pkgs.coreutils}/bin/rm -rf /mnt/secrets/${name}''
     ];
 
+    serviceConfig.DynamicUser = false;
+
   };
 
   services.nginx.virtualHosts."at.hackerspace.pl" = {
@@ -120,9 +122,9 @@ in {
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-	proxy_set_header X-Forwarded-Host $host:$server_port;
-	proxy_set_header X-Forwarded-Server $host;
-	proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host:$server_port;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-Proto $scheme;
       '';
     };
   };

hswaw/machines/customs.hackerspace.pl/configuration.nix

@@ -316,10 +316,20 @@ in {
 
   services.dhcpd4 = {
     enable = true;
-    configFile = ./dhcpd.conf;
+    configFile = "${./dhcpd.conf}";
     interfaces = ["lan"];
   };
 
+  # Checkinator needs access to leases file. When DynamicUser is enable this
+  # file is hidden in /var/lib/private
+  systemd.services.dhcpd4.serviceConfig.DynamicUser= pkgs.lib.mkForce false;
+  users.users.dhcpd = {
+    group = "dhcpd";
+    isSystemUser = true;
+    uid = 1005;
+  };
+  users.groups."dhcpd" = {};
+
   hscloud.routing = {
     enable = true;
     # TODO(q3k): make this optional in upstream