From 0c0571462b3d9aa2624e886db860962c472a6f75 Mon Sep 17 00:00:00 2001
From: Hilton Chain <hako@ultrarare.space>
Date: Thu, 1 Dec 2022 22:36:03 +0800
Subject: [PATCH] services: cloudflare-tunnel-service-type: Add
 %cloudflare-tunnel-accounts.

* rosenthal/services/child-error.scm (%cloudflare-tunnel-accounts): New
variable.
(cloudflare-tunnel-shepherd-service,cloudflare-tunnel-service-type): Honor it.
---
 rosenthal/services/child-error.scm | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/rosenthal/services/child-error.scm b/rosenthal/services/child-error.scm
index a2dbe62..1f99d52 100644
--- a/rosenthal/services/child-error.scm
+++ b/rosenthal/services/child-error.scm
@@ -8,9 +8,11 @@
   #:use-module (guix gexp)
   #:use-module (gnu home services)
   #:use-module (gnu home services shepherd)
+  #:use-module (gnu packages admin)
   #:use-module (gnu services)
   #:use-module (gnu services configuration)
   #:use-module (gnu services shepherd)
+  #:use-module (gnu system shadow)
   #:use-module (rosenthal utils home-services-utils)
   #:export (cloudflare-tunnel-configuration
             cloudflare-tunnel-service-type))
@@ -47,6 +49,16 @@
   (extra-options cloudflare-tunnel-configuration-extra-options ;list of string
                  (default '())))
 
+(define %cloudflare-tunnel-accounts
+  (list (user-group (name "cloudflared") (system? #t))
+        (user-account
+         (name "cloudflared")
+         (group "cloudflared")
+         (system? #t)
+         (comment "Cloudflare Tunnel user")
+         (home-directory "/var/empty")
+         (shell (file-append shadow "/sbin/nologin")))))
+
 (define cloudflare-tunnel-shepherd-service
   (match-lambda
     (($ <cloudflare-tunnel-configuration> cloudflared metrics
@@ -69,8 +81,8 @@
                                      '("--post-quantum")
                                      '())
                               #$@extra-options)
-                        #:user "nobody"
-                        #:group "nogroup"
+                        #:user "cloudflared"
+                        #:group "cloudflared"
                         #:log-file #$log-file))
               (stop #~(make-kill-destructor))))))))
 
@@ -79,6 +91,8 @@
    (name 'cloudflare-tunnel)
    (extensions
     (list (service-extension shepherd-root-service-type
-                             cloudflare-tunnel-shepherd-service)))
+                             cloudflare-tunnel-shepherd-service)
+          (service-extension account-service-type
+                             (const %cloudflare-tunnel-accounts))))
    (default-value (cloudflare-tunnel-configuration))
    (description "Run cloudflared, the Cloudflare Tunnel daemon.")))