services: cloudflare-tunnel: Add dedicated account.

* modules/rosenthal/services/child-error.scm (%cloudflare-tunnel-accounts): New variable. (cloudflare-tunnel-service-type)[extensions]: Add it. (cloudflare-tunnel-shepherd-service)[start]: Use the new user.
2025-11-04 11:44:48 +00:00 · 2025-05-16 00:08:29 +08:00 · 2025-05-16 00:08:29 +08:00 · bbeaebcd8e
commit bbeaebcd8e
parent 5d336ad0cf
1 changed files with 13 additions and 2 deletions
--- a/modules/rosenthal/services/child-error.scm
+++ b/modules/rosenthal/services/child-error.scm
@ -160,13 +160,22 @@ headers.  This can expose sensitive information in your logs.")
   "List of extra options.")
  (no-serialization))

+(define %cloudflare-tunnel-accounts
+  (list (user-account
+          (name "cloudflared")
+          (group "nogroup")
+          (system? #t)
+          (home-directory "/var/empty")
+          (create-home-directory? #f)
+          (shell (file-append shadow "/sbin/nologin")))))
+
 (define cloudflare-tunnel-shepherd-service
  (match-record-lambda <cloudflare-tunnel-configuration>
      (cloudflared log-level log-file extra-tunnel-options
                   token token-file extra-options)
    (list (shepherd-service
           (documentation "Run cloudflared.")
-           (provision '(cloudflare-tunnel))
+           (provision '(cloudflare-tunnel cloudflared))
           (requirement '(loopback networking))
           (start #~(make-forkexec-constructor
                     (list #$(file-append cloudflared "/bin/cloudflared")
@ -176,7 +185,7 @@ headers.  This can expose sensitive information in your logs.")
                           #$@extra-tunnel-options
                           "run"
                           #$@extra-options)
-                     #:user "nobody"
+                     #:user "cloudflared"
                     #:group "nogroup"
                     #:log-file #$log-file
                     #:environment-variables
@ -196,6 +205,8 @@ headers.  This can expose sensitive information in your logs.")
   (extensions
    (list (service-extension shepherd-root-service-type
                             cloudflare-tunnel-shepherd-service)
+          (service-extension account-service-type
+                             (const %cloudflare-tunnel-accounts))
          (service-extension log-rotation-service-type
                             (compose list cloudflare-tunnel-configuration-log-file))))
   (default-value (cloudflare-tunnel-configuration))