From 092d7a3d47bd41086f6fa040bf3da87e0a456d3b Mon Sep 17 00:00:00 2001
From: Sakooooo <78461130+Sakooooo@users.noreply.github.com>
Date: Thu, 2 Jan 2025 00:00:59 +0400
Subject: [PATCH] harden

---
 modules/server/ddns.nix | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/modules/server/ddns.nix b/modules/server/ddns.nix
index f6c7a1e6..6c4cc4d3 100644
--- a/modules/server/ddns.nix
+++ b/modules/server/ddns.nix
@@ -9,11 +9,23 @@ in {
       ddns-updater-updated =
         pkgs.callPackage ../../packages/ddns-updater.nix { };
     in {
+
+      users.users.ddns-updater = { group = "ddns-updater"; };
+      users.groups.ddns-updater = { };
+
       ddns-updater = {
         enable = true;
         package = ddns-updater-updated;
         environment = { "PEROID" = "5m"; };
       };
+
+      systemd.services.ddns-updater = {
+        serviceConfig = {
+          DynamicUser = lib.mkForce false;
+          User = "ddns-updater";
+          Group = "ddns-updater";
+        };
+      };
       nginx.virtualHosts = {
         "ddns.sako.box" = {
           locations."/" = { proxyPass = "http://localhost:8000"; };