refactor: change to systemd user service

Systant is designed as a userspace controller rather than a system daemon, so it makes more sense to run as a user service with access to the user's environment, PATH, and session (for audio control, etc). Changes: - Remove user/group options (runs as current user) - Use systemd.user.services instead of systemd.services - Remove hardening options (not needed and would restrict access) - Add package to environment.systemPackages Enable with: systemctl --user enable --now systant Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-19 20:55:36 -08:00 · 2026-01-19 20:55:36 -08:00 · 4e46f3e0fc
commit 4e46f3e0fc
parent 08bf13cc32
1 changed files with 14 additions and 51 deletions
--- a/nix/nixos-module.nix
+++ b/nix/nixos-module.nix
@ -3,6 +3,12 @@
 let
  cfg = config.systant;
  settingsFormat = pkgs.formats.toml { };
+  configFile =
+    if cfg.configFile != null
+    then cfg.configFile
+    else if cfg.settings != { }
+    then settingsFormat.generate "systant-config.toml" cfg.settings
+    else null;
 in
 {
  options.systant = {
@ -53,70 +59,27 @@ in
        }
      '';
    };
-
-    user = lib.mkOption {
-      type = lib.types.str;
-      default = "systant";
-      description = "User account under which systant runs.";
-    };
-
-    group = lib.mkOption {
-      type = lib.types.str;
-      default = "systant";
-      description = "Group under which systant runs.";
-    };
  };

  config = lib.mkIf cfg.enable {
-    # Create systant user/group if using defaults
-    users.users.${cfg.user} = lib.mkIf (cfg.user == "systant") {
-      isSystemUser = true;
-      group = cfg.group;
-      description = "Systant service user";
-    };
+    # Make the package available system-wide
+    environment.systemPackages = [ cfg.package ];

-    users.groups.${cfg.group} = lib.mkIf (cfg.group == "systant") { };
-
-    # Generate config file from settings if configFile not provided
-    environment.etc."systant/config.toml" = lib.mkIf (cfg.configFile == null && cfg.settings != { }) {
-      source = settingsFormat.generate "systant-config.toml" cfg.settings;
-    };
-
-    systemd.services.systant = {
+    # Systemd user service - runs in user session with user's environment
+    systemd.user.services.systant = {
      description = "Systant system monitoring agent";
-      wantedBy = [ "multi-user.target" ];
+      wantedBy = [ "default.target" ];
      after = [ "network-online.target" ];
      wants = [ "network-online.target" ];

      serviceConfig = {
        Type = "simple";
-        User = cfg.user;
-        Group = cfg.group;
        ExecStart =
-          let
-            configPath =
-              if cfg.configFile != null
-              then cfg.configFile
-              else "/etc/systant/config.toml";
-          in
-          "${cfg.package}/bin/systant run --config ${configPath}";
+          if configFile != null
+          then "${cfg.package}/bin/systant run --config ${configFile}"
+          else "${cfg.package}/bin/systant run";
        Restart = "on-failure";
        RestartSec = "5s";
-
-        # Hardening
-        NoNewPrivileges = true;
-        ProtectSystem = "strict";
-        ProtectHome = true;
-        PrivateTmp = true;
-        ProtectKernelTunables = true;
-        ProtectKernelModules = true;
-        ProtectControlGroups = true;
-
-        # Allow reading system metrics
-        ReadOnlyPaths = [
-          "/proc"
-          "/sys"
-        ];
      };
    };
  };