From c0410bb7b6d4e9ed1cd5ca412aac54b78ff8ea36 Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@private.storage>
Date: Tue, 10 Aug 2021 17:04:12 +0000
Subject: [PATCH] Add zkapissuer user and group and make PaymentServer run as
 it

---
 morph/lib/issuer.nix     |  8 ++++----
 nixos/modules/issuer.nix | 21 +++++++++++++++++++++
 2 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/morph/lib/issuer.nix b/morph/lib/issuer.nix
index 51046b43..2c30f075 100644
--- a/morph/lib/issuer.nix
+++ b/morph/lib/issuer.nix
@@ -9,15 +9,15 @@ rec {
     secrets = {
       "ristretto-signing-key" = {
         destination = "/run/keys/ristretto.signing-key";
-        owner.user = "root";
-        owner.group = "root";
+        owner.user = "zkapissuer";
+        owner.group = "zkapissuer";
         permissions = "0400";
         action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
       };
       "stripe-secret-key" = {
         destination = "/run/keys/stripe.secret-key";
-        owner.user = "root";
-        owner.group = "root";
+        owner.user = "zkapissuer";
+        owner.group = "zkapissuer";
         permissions = "0400";
         action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
       };
diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index 10de1984..f28bec2d 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -155,6 +155,13 @@ in {
       serviceConfig.Restart = "always";
       serviceConfig.Type = "simple";
 
+      # Run w/o privileges
+      serviceConfig = {
+        DynamicUser = false;
+        User = "zkapissuer";
+        Group = "zkapissuer";
+      };
+
       script =
         let
           # Compute the right command line arguments to pass to it.  The
@@ -182,6 +189,20 @@ in {
           "${cfg.package}/bin/PaymentServer-exe ${originArgs} ${issuerArgs} ${databaseArgs} ${httpArgs} ${stripeArgs}";
     };
 
+    # PaymentServer runs as this user and group by default
+    # Mind the comments in nixpkgs/nixos/modules/misc/ids.nix: "When adding a uid,
+    # make sure it doesn't match an existing gid. And don't use uids above 399!"
+    ids.uids.zkapissuer = 397;
+    ids.gids.zkapissuer = 397;
+    users.extraGroups.zkapissuer.gid = config.ids.gids.zkapissuer;
+    users.extraUsers.zkapissuer = {
+      uid = config.ids.uids.zkapissuer;
+      isNormalUser = false;
+      group = "zkapissuer";
+      # Let PaymentServer read from keys, if necessary.
+      extraGroups = [ "keys" ];
+    };
+
     # Open 80 and 443 for the certbot HTTP server and the PaymentServer HTTPS server.
     networking.firewall.allowedTCPPorts = [
       80
-- 
GitLab