rope/nixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

locale + crowdsec: pin timezone, declare static crowdsec user

Browse source 
Two failing services after the channel switch.

automatic-timezoned has been polkit-blocked since well before the
switch — replace with a static Europe/London timezone. Hosts that
travel can override locally if needed.

The vendored crowdsec module's setup unit chowns its config dir to
the (DynamicUser-allocated) crowdsec user via an ExecStartPre+ hack.
On stable's systemd the dynamic user isn't visible to chown via NSS
at that point, so it fails with 'invalid user'. Declaring crowdsec
as a static system user makes systemd use it (DynamicUser becomes a
no-op) and the chown resolves cleanly.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
ediblerope 2026-04-29 14:00:41 +01:00
parent 5e1780b4fe
commit 3819cb6820
2 changed files with 16 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

13
services/crowdsec.nix
View file

@ -49,6 +49,19 @@ in
config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") { config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
# Static user/group for crowdsec. The vendored module relies on
# DynamicUser=true plus a chown hack in crowdsec-setup's ExecStartPre,
# which broke on stable's systemd because the dynamic user isn't
# visible to NSS at chown time. Declaring the user statically makes
# systemd use it (DynamicUser becomes a no-op) and chown succeeds.
users.users.crowdsec = {
isSystemUser = true;
group = "crowdsec";
home = "/var/lib/crowdsec";
description = "CrowdSec security agent";
};
users.groups.crowdsec = { };
services.crowdsec = { services.crowdsec = {
enable = true; enable = true;
name = "fredos-mediaserver"; name = "fredos-mediaserver";

11
settings/locale.nix
View file

@ -2,14 +2,9 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
# Set your time zone. # Static timezone — automatic-timezoned needs polkit rules to call timedate1
#time.timeZone = "Europe/London"; # and was failing on every host. Override on the laptop if it ever moves.
services.automatic-timezoned.enable = true; time.timeZone = "Europe/London";
services.geoclue2 = {
enable = true;
enableDemoAgent = lib.mkForce true;
geoProviderUrl = "https://api.beacondb.net/v1/geolocate?key=geoclue";
};
# Select internationalisation properties. # Select internationalisation properties.
i18n.defaultLocale = "en_GB.UTF-8"; i18n.defaultLocale = "en_GB.UTF-8";