errors.txt

[root@chrysalis:/srv/within/tron]# ls -l /run/keys/tron
-rw-r----- 1 tron within 230 Nov  7 19:55 /run/keys/tron

[root@chrysalis:/srv/within/tron]# su -s $(which bash) tron
bash: /srv/within/tron/.bashrc: Permission denied

[tron@chrysalis:~]$ id
uid=999(tron) gid=999(within) groups=999(within)

[tron@chrysalis:~]$ ls -l /run/keys/tron
ls: cannot access '/run/keys/tron': Permission denied

tron.nix

{ config, lib, pkgs, ... }:
with lib; {
  options.within.services.tron.enable =
    mkEnableOption "Tron fights for the users";

  config = mkIf config.within.services.tron.enable {
    # User account
    users.users.tron = {
      createHome = true;
      description = "Tron fights for the users";
      isSystemUser = true;
      group = "within";
      home = "/srv/within/tron";
    };

    # Secret config
    deployment.keys.tron = {
      text = builtins.readFile ./secrets/tron.env;
      user = "tron";
      group = "within";
      permissions = "0640";
    };

    # Service
    systemd.services.tron = {
      wantedBy = [ "multi-user.target" ];
      after = [ "tron-key.service" ];
      wants = [ "tron-key.service" ];

      serviceConfig = {
        User = "tron";
        Group = "within";
        Restart = "on-failure";
      };

      script = let tron = pkgs.within.tron;
      in ''
        export REGEXES=${tron}/regexes.dhall
        exec ${tron}/bin/tron
      '';
    };
  };
}