From cc211d016b8d8e0267602f0cb206fc405e32df36 Mon Sep 17 00:00:00 2001
From: SebastianStork <sebastian.stork@pm.me>
Date: Fri, 19 Sep 2025 20:55:19 +0200
Subject: [PATCH] gatus: Disable `DynamicUser`

---
 modules/system/services/gatus.nix | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/modules/system/services/gatus.nix b/modules/system/services/gatus.nix
index 284b50e..215e078 100644
--- a/modules/system/services/gatus.nix
+++ b/modules/system/services/gatus.nix
@@ -6,7 +6,9 @@
 }:
 let
   cfg = config.custom.services.gatus;
+
   tailscaleDomain = config.custom.services.tailscale.domain;
+  dataDir = "/var/lib/gatus";
 in
 {
   options.custom.services.gatus = {
@@ -78,10 +80,27 @@ in
       secrets."healthchecks/ping-key" = { };
       templates."gatus.env" = {
         content = "HEALTHCHECKS_PING_KEY=${config.sops.placeholder."healthchecks/ping-key"}";
+        owner = config.users.users.gatus.name;
         restartUnits = [ "gatus.service" ];
       };
     };
 
+    users = {
+      users.gatus = {
+        isSystemUser = true;
+        group = config.users.groups.gatus.name;
+      };
+      groups.gatus = { };
+    };
+
+    systemd.services.gatus.serviceConfig = {
+      DynamicUser = lib.mkForce false;
+      ProtectSystem = "strict";
+      ProtectHome = "read-only";
+      PrivateTmp = true;
+      RemoveIPC = true;
+    };
+
     custom.services.gatus.endpoints =
       let
         getSubdomain = domain: domain |> lib.splitString "." |> lib.head;
@@ -114,7 +133,7 @@ in
         };
         storage = {
           type = "sqlite";
-          path = "/var/lib/gatus/data.db";
+          path = "${dataDir}/data.db";
         };
         connectivity.checker.target = "1.1.1.1:53"; # Cloudflare DNS
         alerting.ntfy = {
@@ -173,6 +192,6 @@ in
       };
     };
 
-    custom.persist.directories = [ "/var/lib/private/gatus" ];
+    custom.persist.directories = [ dataDir ];
   };
 }