From 3819cb6820a750a07cd50b2d94ed724538ddbc91 Mon Sep 17 00:00:00 2001 From: ediblerope Date: Wed, 29 Apr 2026 14:00:41 +0100 Subject: [PATCH] locale + crowdsec: pin timezone, declare static crowdsec user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two failing services after the channel switch. automatic-timezoned has been polkit-blocked since well before the switch — replace with a static Europe/London timezone. Hosts that travel can override locally if needed. The vendored crowdsec module's setup unit chowns its config dir to the (DynamicUser-allocated) crowdsec user via an ExecStartPre+ hack. On stable's systemd the dynamic user isn't visible to chown via NSS at that point, so it fails with 'invalid user'. Declaring crowdsec as a static system user makes systemd use it (DynamicUser becomes a no-op) and the chown resolves cleanly. Co-Authored-By: Claude Opus 4.7 --- services/crowdsec.nix | 13 +++++++++++++ settings/locale.nix | 11 +++-------- 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/services/crowdsec.nix b/services/crowdsec.nix index 5525638..654bb9e 100644 --- a/services/crowdsec.nix +++ b/services/crowdsec.nix @@ -49,6 +49,19 @@ in config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") { + # Static user/group for crowdsec. The vendored module relies on + # DynamicUser=true plus a chown hack in crowdsec-setup's ExecStartPre, + # which broke on stable's systemd because the dynamic user isn't + # visible to NSS at chown time. Declaring the user statically makes + # systemd use it (DynamicUser becomes a no-op) and chown succeeds. + users.users.crowdsec = { + isSystemUser = true; + group = "crowdsec"; + home = "/var/lib/crowdsec"; + description = "CrowdSec security agent"; + }; + users.groups.crowdsec = { }; + services.crowdsec = { enable = true; name = "fredos-mediaserver"; diff --git a/settings/locale.nix b/settings/locale.nix index 8f4d460..3e1c58d 100644 --- a/settings/locale.nix +++ b/settings/locale.nix @@ -2,14 +2,9 @@ { config, pkgs, lib, ... }: { -# Set your time zone. -#time.timeZone = "Europe/London"; -services.automatic-timezoned.enable = true; -services.geoclue2 = { - enable = true; - enableDemoAgent = lib.mkForce true; - geoProviderUrl = "https://api.beacondb.net/v1/geolocate?key=geoclue"; -}; +# Static timezone — automatic-timezoned needs polkit rules to call timedate1 +# and was failing on every host. Override on the laptop if it ever moves. +time.timeZone = "Europe/London"; # Select internationalisation properties. i18n.defaultLocale = "en_GB.UTF-8";