From 9e0457115e7eb3f106b9ea60ab3ca92daed5b03f Mon Sep 17 00:00:00 2001
From: rnhmjoj <rnhmjoj@inventati.org>
Date: Sun, 3 Sep 2023 23:02:18 +0200
Subject: [PATCH] nixos/mautrix-whatsapp: use  static user and group

The DynamicUser mechanism does not allow share the bridge
registration.yaml file with matrix-synapse in any easy way:

1. the mautrix-whatsapp group under which the service runs is not in
   /etc/group, so you can't add matrix-synapse to this.
   This makes the group read bit on the file useless as the group is
   effectively always empty.

2. It's not possible to use ACLs or copy the file during preStart or
   postStart because the commands are executed with low priviledges.

By using a normal (static) user/group the secret can be shared with
synapse as follows:

  services.matrix_synapse.settings.app_service_config_files =
    [ "/var/lib/mautrix-whatsapp/whatsapp-registration.yaml" ];

  users.users.matrix-synapse.extraGroups = [ "mautrix-whatsapp" ];
---
 .../modules/services/matrix/mautrix-whatsapp.nix  | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/services/matrix/mautrix-whatsapp.nix b/nixos/modules/services/matrix/mautrix-whatsapp.nix
index b4d49f6e425..4f776bf0364 100644
--- a/nixos/modules/services/matrix/mautrix-whatsapp.nix
+++ b/nixos/modules/services/matrix/mautrix-whatsapp.nix
@@ -117,6 +117,16 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+
+    users.users.mautrix-whatsapp = {
+      isSystemUser = true;
+      group = "mautrix-whatsapp";
+      home = dataDir;
+      description = "Mautrix-WhatsApp bridge user";
+    };
+
+    users.groups.mautrix-whatsapp = {};
+
     services.mautrix-whatsapp.settings = {
       homeserver.domain = lib.mkDefault config.services.matrix-synapse.settings.server_name;
     };
@@ -158,10 +168,11 @@ in {
       '';
 
       serviceConfig = {
-        DynamicUser = true;
+        User = "mautrix-whatsapp";
+        Group = "mautrix-whatsapp";
         EnvironmentFile = cfg.environmentFile;
         StateDirectory = baseNameOf dataDir;
-        WorkingDirectory = "${dataDir}";
+        WorkingDirectory = dataDir;
         ExecStart = ''
           ${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \
           --config='${settingsFile}' \