Use regular user for dendrite

1 files changed, 19 insertions, 3 deletions

diff --git a/matrix.nix b/matrix.nix
index 38b96ed..e883918 100644
--- a/matrix.nix
+++ b/matrix.nix
@@ -16,7 +16,7 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with loang configuration.  If not, see <https://www.gnu.org/licenses/>.
 
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 let
   client = {
     "m.homeserver" = {
@@ -31,12 +31,12 @@ let
   server = {
     "m.server" = "${domain}:443"; # unify with client-server
   };
+  workingDir = "/var/lib/dendrite"; # hardcoded in service
 in {
   services = {
     dendrite = {
       enable = true;
-      settings = let workingDir = "/var/lib/dendrite"; # hardcoded in service
-      in {
+      settings = {
         app_service_api.database.connection_string = "";
         federation_api.database.connection_string = "";
         global = {
@@ -79,6 +79,7 @@ in {
         "= /.well-known/matrix/server" = {
           extraConfig = ''
             add_header Content-Type application/json;
+            add_header Access-Control-Allow-Origin *;
           '';
           return = "200 '${builtins.toJSON server}'";
         };
@@ -113,4 +114,19 @@ in {
       package = pkgs.postgresql_14;
     };
   };
+
+  systemd.services.dendrite.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = "dendrite";
+    Group = "dendrite";
+  };
+
+  users = {
+    users.dendrite = {
+      isSystemUser = true;
+      group = "dendrite";
+      home = workingDir;
+    };
+    groups.dendrite = {};
+  };
 }