From 6d44ddaa8435505c3d07380b67b3402f327831dd Mon Sep 17 00:00:00 2001
From: Michael Walker <mike@barrucadu.co.uk>
Date: Sun, 15 Dec 2024 11:54:50 +0000
Subject: [PATCH 01/13] Switch from `extraUsers` to `users`

`extraUsers` is a synonym and I've been using the two inconsistently.
---
 hosts/carcosa/configuration.nix                  |  6 +++---
 hosts/nyarlathotep/configuration.nix             |  8 ++++----
 scripts/lint.sh                                  |  4 ++++
 shared/bookdb/remote-sync-receive.nix            |  6 +++---
 shared/bookdb/remote-sync-send.nix               | 10 +++++-----
 shared/bookmarks/remote-sync-receive.nix         |  2 +-
 shared/bookmarks/remote-sync-send.nix            |  4 ++--
 shared/default.nix                               |  4 ++--
 shared/erase-your-darlings/default.nix           |  4 ++--
 shared/host-templates/website-mirror/default.nix |  2 +-
 10 files changed, 27 insertions(+), 23 deletions(-)

diff --git a/hosts/carcosa/configuration.nix b/hosts/carcosa/configuration.nix
index 3107cf8f..a97c2f3a 100644
--- a/hosts/carcosa/configuration.nix
+++ b/hosts/carcosa/configuration.nix
@@ -333,7 +333,7 @@ in
   ## Remote Builds
   ###############################################################################
 
-  users.extraUsers.nix-remote-builder = {
+  users.users.nix-remote-builder = {
     home = "/var/lib/nix-remote-builder";
     createHome = true;
     isSystemUser = true;
@@ -342,7 +342,7 @@ in
     openssh.authorizedKeys.keys =
       [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHFzMpx7QNSAb5tCbkzMRIG62PvBZysflwwCKchFDHtY nix@yuggoth" ];
   };
-  nix.settings.trusted-users = [ config.users.extraUsers.nix-remote-builder.name ];
+  nix.settings.trusted-users = [ config.users.users.nix-remote-builder.name ];
 
 
   ###############################################################################
@@ -361,7 +361,7 @@ in
   services.prometheus.webExternalUrl = "https://prometheus.carcosa.barrucadu.co.uk";
 
   # Extra packages
-  users.extraUsers.barrucadu.packages = with pkgs; [
+  users.users.barrucadu.packages = with pkgs; [
     irssi
     perl
   ];
diff --git a/hosts/nyarlathotep/configuration.nix b/hosts/nyarlathotep/configuration.nix
index f4ae4544..fd44ad53 100644
--- a/hosts/nyarlathotep/configuration.nix
+++ b/hosts/nyarlathotep/configuration.nix
@@ -181,7 +181,7 @@ in
     (map (n: nameValuePair n { path = "/mnt/nas/${n}"; writable = "yes"; }) shares);
 
   # Guest user for NFS / Samba
-  users.extraUsers.notbarrucadu = {
+  users.users.notbarrucadu = {
     uid = 1001;
     description = "Guest user";
     isNormalUser = true;
@@ -499,7 +499,7 @@ in
   ];
 
   sops.secrets."users/bookdb_remote_sync/ssh_private_key" = {
-    owner = config.users.extraUsers.bookdb-remote-sync-send.name;
+    owner = config.users.users.bookdb-remote-sync-send.name;
     key = "users/remote_sync/ssh_private_key";
   };
 
@@ -511,7 +511,7 @@ in
   ];
 
   sops.secrets."users/bookmarks_remote_sync/ssh_private_key" = {
-    owner = config.users.extraUsers.bookmarks-remote-sync-send.name;
+    owner = config.users.users.bookmarks-remote-sync-send.name;
     key = "users/remote_sync/ssh_private_key";
   };
 
@@ -519,7 +519,7 @@ in
   # RSS-to-Mastodon
   ###############################################################################
 
-  users.extraUsers.rss-to-mastodon = {
+  users.users.rss-to-mastodon = {
     home = "/persist/var/lib/rss-to-mastodon";
     createHome = true;
     isSystemUser = true;
diff --git a/scripts/lint.sh b/scripts/lint.sh
index 9c2c26bc..24465c7e 100644
--- a/scripts/lint.sh
+++ b/scripts/lint.sh
@@ -28,6 +28,10 @@ if git grep 'OnCalendar' | grep -vE 'scripts/lint.sh'; then
     exit 1
 fi
 
+if git grep 'users.extraUsers' | grep -vE 'scripts/lint.sh'; then
+    exit 1
+fi
+
 if git grep 'virtualisation.oci-containers' | grep -vE 'scripts/lint.sh|shared/oci-containers/'; then
     exit 1
 fi
diff --git a/shared/bookdb/remote-sync-receive.nix b/shared/bookdb/remote-sync-receive.nix
index a94ac68e..e1f6c95c 100644
--- a/shared/bookdb/remote-sync-receive.nix
+++ b/shared/bookdb/remote-sync-receive.nix
@@ -7,7 +7,7 @@ let
 in
 {
   config = mkIf cfg.enable {
-    users.extraUsers.bookdb-remote-sync-receive = {
+    users.users.bookdb-remote-sync-receive = {
       home = "/var/lib/bookdb-remote-sync-receive";
       createHome = true;
       isSystemUser = true;
@@ -38,9 +38,9 @@ in
 
     security.sudo.extraRules = [
       {
-        users = [ config.users.extraUsers.bookdb-remote-sync-receive.name ];
+        users = [ config.users.users.bookdb-remote-sync-receive.name ];
         commands = [
-          { command = "${pkgs.rsync}/bin/rsync -a --delete ${config.users.extraUsers.bookdb-remote-sync-receive.home}/bookdb-covers/ ${config.systemd.services.bookdb.environment.BOOKDB_UPLOADS_DIR}"; options = [ "NOPASSWD" ]; }
+          { command = "${pkgs.rsync}/bin/rsync -a --delete ${config.users.users.bookdb-remote-sync-receive.home}/bookdb-covers/ ${config.systemd.services.bookdb.environment.BOOKDB_UPLOADS_DIR}"; options = [ "NOPASSWD" ]; }
           { command = "${pkgs.coreutils}/bin/chown -R ${config.users.users.bookdb.name}.nogroup ${config.systemd.services.bookdb.environment.BOOKDB_UPLOADS_DIR}"; options = [ "NOPASSWD" ]; }
         ];
       }
diff --git a/shared/bookdb/remote-sync-send.nix b/shared/bookdb/remote-sync-send.nix
index 8e9703b8..e898f8e9 100644
--- a/shared/bookdb/remote-sync-send.nix
+++ b/shared/bookdb/remote-sync-send.nix
@@ -35,7 +35,7 @@ let
               bookdb-remote-sync-receive@${target} \
               receive-elasticsearch
         '';
-        User = config.users.extraUsers.bookdb-remote-sync-send.name;
+        User = config.users.users.bookdb-remote-sync-send.name;
       };
       environment = {
         ES_HOST = config.systemd.services.bookdb.environment.ES_HOST;
@@ -46,7 +46,7 @@ let
 in
 {
   config = mkIf cfg.enable {
-    users.extraUsers.bookdb-remote-sync-send = {
+    users.users.bookdb-remote-sync-send = {
       home = "/var/lib/bookdb-remote-sync-send";
       createHome = true;
       isSystemUser = true;
@@ -58,10 +58,10 @@ in
 
     security.sudo.extraRules = [
       {
-        users = [ config.users.extraUsers.bookdb-remote-sync-send.name ];
+        users = [ config.users.users.bookdb-remote-sync-send.name ];
         commands = [
-          { command = "${pkgs.coreutils}/bin/cp -r ${config.systemd.services.bookdb.environment.BOOKDB_UPLOADS_DIR}/ ${config.users.extraUsers.bookdb-remote-sync-send.home}/bookdb-covers"; options = [ "NOPASSWD" ]; }
-          { command = "${pkgs.coreutils}/bin/rm -rf ${config.users.extraUsers.bookdb-remote-sync-send.home}/bookdb-covers"; options = [ "NOPASSWD" ]; }
+          { command = "${pkgs.coreutils}/bin/cp -r ${config.systemd.services.bookdb.environment.BOOKDB_UPLOADS_DIR}/ ${config.users.users.bookdb-remote-sync-send.home}/bookdb-covers"; options = [ "NOPASSWD" ]; }
+          { command = "${pkgs.coreutils}/bin/rm -rf ${config.users.users.bookdb-remote-sync-send.home}/bookdb-covers"; options = [ "NOPASSWD" ]; }
         ];
       }
     ];
diff --git a/shared/bookmarks/remote-sync-receive.nix b/shared/bookmarks/remote-sync-receive.nix
index 87561336..7040e1da 100644
--- a/shared/bookmarks/remote-sync-receive.nix
+++ b/shared/bookmarks/remote-sync-receive.nix
@@ -7,7 +7,7 @@ let
 in
 {
   config = mkIf cfg.enable {
-    users.extraUsers.bookmarks-remote-sync-receive = {
+    users.users.bookmarks-remote-sync-receive = {
       home = "/var/lib/bookmarks-remote-sync-receive";
       createHome = true;
       isSystemUser = true;
diff --git a/shared/bookmarks/remote-sync-send.nix b/shared/bookmarks/remote-sync-send.nix
index 63e1d7fd..b2b31226 100644
--- a/shared/bookmarks/remote-sync-send.nix
+++ b/shared/bookmarks/remote-sync-send.nix
@@ -23,7 +23,7 @@ let
               bookmarks-remote-sync-receive@${target} \
               receive-elasticsearch
         '';
-        User = config.users.extraUsers.bookmarks-remote-sync-send.name;
+        User = config.users.users.bookmarks-remote-sync-send.name;
       };
       environment = {
         ES_HOST = config.systemd.services.bookmarks.environment.ES_HOST;
@@ -34,7 +34,7 @@ let
 in
 {
   config = mkIf cfg.enable {
-    users.extraUsers.bookmarks-remote-sync-send = {
+    users.users.bookmarks-remote-sync-send = {
       home = "/var/lib/bookmarks-remote-sync-send";
       createHome = true;
       isSystemUser = true;
diff --git a/shared/default.nix b/shared/default.nix
index 68dd4587..e9133f8e 100644
--- a/shared/default.nix
+++ b/shared/default.nix
@@ -64,7 +64,7 @@ in
     systemd.tmpfiles.rules = [ "d /tmp 1777 root root 14d" ] ++
       (
         let mkTmpDir = n: u: "d ${u.home}/tmp 0700 ${n} ${u.group} 7d";
-        in mapAttrsToList mkTmpDir (filterAttrs (_: u: u.isNormalUser) config.users.extraUsers)
+        in mapAttrsToList mkTmpDir (filterAttrs (_: u: u.isNormalUser) config.users.users)
       );
 
     # Enable passwd and co.
@@ -286,7 +286,7 @@ in
 
     programs.zsh.enable = true;
 
-    users.extraUsers.barrucadu = {
+    users.users.barrucadu = {
       uid = 1000;
       description = "Michael Walker <mike@barrucadu.co.uk>";
       isNormalUser = true;
diff --git a/shared/erase-your-darlings/default.nix b/shared/erase-your-darlings/default.nix
index b419e010..b58633f8 100644
--- a/shared/erase-your-darlings/default.nix
+++ b/shared/erase-your-darlings/default.nix
@@ -36,8 +36,8 @@ in
 
     # Switch back to immutable users
     users.mutableUsers = mkForce false;
-    users.extraUsers.barrucadu.initialPassword = mkForce null;
-    users.extraUsers.barrucadu.hashedPasswordFile = cfg.barrucaduPasswordFile;
+    users.users.barrucadu.initialPassword = mkForce null;
+    users.users.barrucadu.hashedPasswordFile = cfg.barrucaduPasswordFile;
 
     # Persist state in `cfg.persistDir`
     services.openssh.hostKeys = [
diff --git a/shared/host-templates/website-mirror/default.nix b/shared/host-templates/website-mirror/default.nix
index 9775a332..bcab9491 100644
--- a/shared/host-templates/website-mirror/default.nix
+++ b/shared/host-templates/website-mirror/default.nix
@@ -232,7 +232,7 @@ in
     networking.firewall.allowedTCPPorts = [ 80 443 ];
 
     # Concourse access
-    users.extraUsers.concourse-deploy-robot = {
+    users.users.concourse-deploy-robot = {
       home = "/var/lib/concourse-deploy-robot";
       createHome = true;
       isSystemUser = true;

From 456ab3fa23734cb34434d706bc6e1e686ea9cb4e Mon Sep 17 00:00:00 2001
From: Michael Walker <mike@barrucadu.co.uk>
Date: Sun, 15 Dec 2024 11:57:44 +0000
Subject: [PATCH 02/13] [carcosa] Set `uid` of nix-remote-builder

---
 hosts/carcosa/configuration.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hosts/carcosa/configuration.nix b/hosts/carcosa/configuration.nix
index a97c2f3a..736c83cb 100644
--- a/hosts/carcosa/configuration.nix
+++ b/hosts/carcosa/configuration.nix
@@ -334,6 +334,7 @@ in
   ###############################################################################
 
   users.users.nix-remote-builder = {
+    uid = 983;
     home = "/var/lib/nix-remote-builder";
     createHome = true;
     isSystemUser = true;

From 9c3084f6b92c27ab11563b8645a6a7ae5b240a5c Mon Sep 17 00:00:00 2001
From: Michael Walker <mike@barrucadu.co.uk>
Date: Sun, 15 Dec 2024 11:57:56 +0000
Subject: [PATCH 03/13] [nyarlathotep] Set `uid` of rss-to-mastodon

---
 hosts/nyarlathotep/configuration.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hosts/nyarlathotep/configuration.nix b/hosts/nyarlathotep/configuration.nix
index fd44ad53..bd2cc954 100644
--- a/hosts/nyarlathotep/configuration.nix
+++ b/hosts/nyarlathotep/configuration.nix
@@ -520,6 +520,7 @@ in
   ###############################################################################
 
   users.users.rss-to-mastodon = {
+    uid = 991;
     home = "/persist/var/lib/rss-to-mastodon";
     createHome = true;
     isSystemUser = true;

From 4376cd25ce72926fb89d8b5ef1895b691ab58c9c Mon Sep 17 00:00:00 2001
From: Michael Walker <mike@barrucadu.co.uk>
Date: Sun, 15 Dec 2024 12:00:23 +0000
Subject: [PATCH 04/13] Set `uid` of bookdb users

---
 shared/bookdb/default.nix             | 1 +
 shared/bookdb/remote-sync-receive.nix | 1 +
 shared/bookdb/remote-sync-send.nix    | 1 +
 3 files changed, 3 insertions(+)

diff --git a/shared/bookdb/default.nix b/shared/bookdb/default.nix
index ff3536d3..8791e3a0 100644
--- a/shared/bookdb/default.nix
+++ b/shared/bookdb/default.nix
@@ -60,6 +60,7 @@ in
     };
 
     users.users.bookdb = {
+      uid = 998;
       description = "bookdb service user";
       home = cfg.dataDir;
       createHome = true;
diff --git a/shared/bookdb/remote-sync-receive.nix b/shared/bookdb/remote-sync-receive.nix
index e1f6c95c..4b57951b 100644
--- a/shared/bookdb/remote-sync-receive.nix
+++ b/shared/bookdb/remote-sync-receive.nix
@@ -8,6 +8,7 @@ in
 {
   config = mkIf cfg.enable {
     users.users.bookdb-remote-sync-receive = {
+      uid = 985;
       home = "/var/lib/bookdb-remote-sync-receive";
       createHome = true;
       isSystemUser = true;
diff --git a/shared/bookdb/remote-sync-send.nix b/shared/bookdb/remote-sync-send.nix
index e898f8e9..ee0b9360 100644
--- a/shared/bookdb/remote-sync-send.nix
+++ b/shared/bookdb/remote-sync-send.nix
@@ -47,6 +47,7 @@ in
 {
   config = mkIf cfg.enable {
     users.users.bookdb-remote-sync-send = {
+      uid = 985;
       home = "/var/lib/bookdb-remote-sync-send";
       createHome = true;
       isSystemUser = true;

From 2cda9b7cd48e633d24dc0fea23988a902d07b850 Mon Sep 17 00:00:00 2001
From: Michael Walker <mike@barrucadu.co.uk>
Date: Sun, 15 Dec 2024 12:01:47 +0000
Subject: [PATCH 05/13] Set `uid` of bookmarks users

---
 shared/bookmarks/remote-sync-receive.nix | 1 +
 shared/bookmarks/remote-sync-send.nix    | 1 +
 2 files changed, 2 insertions(+)

diff --git a/shared/bookmarks/remote-sync-receive.nix b/shared/bookmarks/remote-sync-receive.nix
index 7040e1da..2fc0982f 100644
--- a/shared/bookmarks/remote-sync-receive.nix
+++ b/shared/bookmarks/remote-sync-receive.nix
@@ -8,6 +8,7 @@ in
 {
   config = mkIf cfg.enable {
     users.users.bookmarks-remote-sync-receive = {
+      uid = 984;
       home = "/var/lib/bookmarks-remote-sync-receive";
       createHome = true;
       isSystemUser = true;
diff --git a/shared/bookmarks/remote-sync-send.nix b/shared/bookmarks/remote-sync-send.nix
index b2b31226..8fda7400 100644
--- a/shared/bookmarks/remote-sync-send.nix
+++ b/shared/bookmarks/remote-sync-send.nix
@@ -35,6 +35,7 @@ in
 {
   config = mkIf cfg.enable {
     users.users.bookmarks-remote-sync-send = {
+      uid = 984;
       home = "/var/lib/bookmarks-remote-sync-send";
       createHome = true;
       isSystemUser = true;

From 28a34948efc010ea74c795e4e1d431b8509b18a8 Mon Sep 17 00:00:00 2001
From: Michael Walker <mike@barrucadu.co.uk>
Date: Sun, 15 Dec 2024 12:02:25 +0000
Subject: [PATCH 06/13] Set `uid` of foundryvtt user

---
 shared/foundryvtt/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/shared/foundryvtt/default.nix b/shared/foundryvtt/default.nix
index c1662ae1..48fb065e 100644
--- a/shared/foundryvtt/default.nix
+++ b/shared/foundryvtt/default.nix
@@ -37,6 +37,7 @@ in
     };
 
     users.users.foundryvtt = {
+      uid = 994;
       description = "Foundry VTT service user";
       home = cfg.dataDir;
       createHome = true;

From 3bb0bdca3b5ae017b5868af0d4bae04e4b584b5e Mon Sep 17 00:00:00 2001
From: Michael Walker <mike@barrucadu.co.uk>
Date: Sun, 15 Dec 2024 12:03:20 +0000
Subject: [PATCH 07/13] Set `uid` of concourse-deploy-robot user

---
 shared/host-templates/website-mirror/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/shared/host-templates/website-mirror/default.nix b/shared/host-templates/website-mirror/default.nix
index bcab9491..39e2d59e 100644
--- a/shared/host-templates/website-mirror/default.nix
+++ b/shared/host-templates/website-mirror/default.nix
@@ -233,6 +233,7 @@ in
 
     # Concourse access
     users.users.concourse-deploy-robot = {
+      uid = 997;
       home = "/var/lib/concourse-deploy-robot";
       createHome = true;
       isSystemUser = true;

From 1a57ebdd23796226607ec966bbc48a321b46c229 Mon Sep 17 00:00:00 2001
From: Michael Walker <mike@barrucadu.co.uk>
Date: Sun, 15 Dec 2024 12:04:11 +0000
Subject: [PATCH 08/13] Set `uid` of minecraft user

---
 shared/minecraft/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/shared/minecraft/default.nix b/shared/minecraft/default.nix
index d04912f1..60cae9e3 100644
--- a/shared/minecraft/default.nix
+++ b/shared/minecraft/default.nix
@@ -30,6 +30,7 @@ in
   config = mkIf cfg.enable {
     # from https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/games/minecraft-server.nix
     users.users.minecraft = {
+      uid = 993;
       description = "Minecraft server service user";
       home = cfg.dataDir;
       createHome = true;

From df01fee92c580dada4019c788cb0963ef2c6296a Mon Sep 17 00:00:00 2001
From: Michael Walker <mike@barrucadu.co.uk>
Date: Sun, 15 Dec 2024 12:13:55 +0000
Subject: [PATCH 09/13] Set `uid` of backups user

---
 shared/restic-backups/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/shared/restic-backups/default.nix b/shared/restic-backups/default.nix
index 27af485d..f9eec4fd 100644
--- a/shared/restic-backups/default.nix
+++ b/shared/restic-backups/default.nix
@@ -120,6 +120,7 @@ in
 
   config = mkIf cfg.enable {
     users.users.backups = {
+      uid = 999;
       description = "backup service user";
       isSystemUser = true;
       group = "nogroup";

From 398278c950ce22d60950383fb79cf9a64b37c3af Mon Sep 17 00:00:00 2001
From: Michael Walker <mike@barrucadu.co.uk>
Date: Sun, 15 Dec 2024 12:24:23 +0000
Subject: [PATCH 10/13] Set `uid` and `gid` of pleroma user

---
 shared/pleroma/default.nix | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/shared/pleroma/default.nix b/shared/pleroma/default.nix
index 6fffac4a..7a6a1ad0 100644
--- a/shared/pleroma/default.nix
+++ b/shared/pleroma/default.nix
@@ -15,6 +15,9 @@ let
   backend = config.nixfiles.oci-containers.backend;
   backendPkg = if backend == "docker" then pkgs.docker else pkgs.podman;
   dbSocketDir = "/var/run/pleroma/db";
+
+  pleromaUser = config.services.pleroma.user;
+  pleromaGroup = config.services.pleroma.group;
 in
 {
   imports = [
@@ -78,6 +81,9 @@ in
         [ "${toString (pkgs.copyPathToStore cfg.faviconPath)}:/var/lib/pleroma/static/favicon.png" ];
     };
 
+    users.users."${pleromaUser}".uid = 989;
+    users.groups."${pleromaGroup}".gid = 994;
+
     nixfiles.oci-containers.pods.pleroma.containers.db = {
       image = "postgres:${cfg.postgresTag}";
       environment = {
@@ -99,7 +105,7 @@ in
         /run/wrappers/bin/sudo ${backendPkg}/bin/${backend} exec -i pleroma-db pg_dump -U pleroma --no-owner -Fc pleroma > postgres.dump
       '';
       paths = [
-        config.users.users.pleroma.home
+        config.users.users."${pleromaUser}".home
         "postgres.dump"
       ];
     };

From 3d836f06e59935b13155b9f70d7e286845f30f13 Mon Sep 17 00:00:00 2001
From: Michael Walker <mike@barrucadu.co.uk>
Date: Sun, 15 Dec 2024 12:27:08 +0000
Subject: [PATCH 11/13] Set `uid` and `gid` of acme user

---
 shared/host-templates/website-mirror/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/shared/host-templates/website-mirror/default.nix b/shared/host-templates/website-mirror/default.nix
index 39e2d59e..f8b51462 100644
--- a/shared/host-templates/website-mirror/default.nix
+++ b/shared/host-templates/website-mirror/default.nix
@@ -98,6 +98,9 @@ in
       };
     };
 
+    users.users.acme.uid = 986;
+    users.groups.acme.gid = 989;
+
 
     ###############################################################################
     ## Websites

From 3283e4e83fc82d91d3d9e779924011236061cba0 Mon Sep 17 00:00:00 2001
From: Michael Walker <mike@barrucadu.co.uk>
Date: Sun, 15 Dec 2024 12:32:12 +0000
Subject: [PATCH 12/13] Use RuntimeDirectory for bookdb-remote-sync-send

---
 shared/bookdb/remote-sync-send.nix | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/shared/bookdb/remote-sync-send.nix b/shared/bookdb/remote-sync-send.nix
index ee0b9360..b6b3e551 100644
--- a/shared/bookdb/remote-sync-send.nix
+++ b/shared/bookdb/remote-sync-send.nix
@@ -15,11 +15,13 @@ let
         ExecStart = pkgs.writeShellScript "bookdb-sync" ''
           set -ex
 
-          /run/wrappers/bin/sudo ${pkgs.coreutils}/bin/cp -r ${config.systemd.services.bookdb.environment.BOOKDB_UPLOADS_DIR}/ ~/bookdb-covers
-          trap "/run/wrappers/bin/sudo ${pkgs.coreutils}/bin/rm -rf ~/bookdb-covers" EXIT
+          cd $RUNTIME_DIRECTORY
+
+          /run/wrappers/bin/sudo ${pkgs.coreutils}/bin/cp -r ${config.systemd.services.bookdb.environment.BOOKDB_UPLOADS_DIR}/ bookdb-covers
+          trap "/run/wrappers/bin/sudo ${pkgs.coreutils}/bin/rm -rf bookdb-covers" EXIT
           rsync -az\
                 -e "ssh -i $SSH_KEY_FILE -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" \
-                ~/bookdb-covers/ \
+                bookdb-covers/ \
                 bookdb-remote-sync-receive@${target}:~/bookdb-covers/
           ssh -i "$SSH_KEY_FILE" \
               -o UserKnownHostsFile=/dev/null \
@@ -36,6 +38,7 @@ let
               receive-elasticsearch
         '';
         User = config.users.users.bookdb-remote-sync-send.name;
+        RuntimeDirectory = "bookdb-sync-${target}";
       };
       environment = {
         ES_HOST = config.systemd.services.bookdb.environment.ES_HOST;
@@ -48,8 +51,6 @@ in
   config = mkIf cfg.enable {
     users.users.bookdb-remote-sync-send = {
       uid = 985;
-      home = "/var/lib/bookdb-remote-sync-send";
-      createHome = true;
       isSystemUser = true;
       shell = pkgs.bashInteractive;
       group = "nogroup";
@@ -61,8 +62,8 @@ in
       {
         users = [ config.users.users.bookdb-remote-sync-send.name ];
         commands = [
-          { command = "${pkgs.coreutils}/bin/cp -r ${config.systemd.services.bookdb.environment.BOOKDB_UPLOADS_DIR}/ ${config.users.users.bookdb-remote-sync-send.home}/bookdb-covers"; options = [ "NOPASSWD" ]; }
-          { command = "${pkgs.coreutils}/bin/rm -rf ${config.users.users.bookdb-remote-sync-send.home}/bookdb-covers"; options = [ "NOPASSWD" ]; }
+          { command = "${pkgs.coreutils}/bin/cp -r ${config.systemd.services.bookdb.environment.BOOKDB_UPLOADS_DIR}/ bookdb-covers"; options = [ "NOPASSWD" ]; }
+          { command = "${pkgs.coreutils}/bin/rm -rf bookdb-covers"; options = [ "NOPASSWD" ]; }
         ];
       }
     ];

From 526e7aab066a4bb201170c3807d06883afa0a83a Mon Sep 17 00:00:00 2001
From: Michael Walker <mike@barrucadu.co.uk>
Date: Sun, 15 Dec 2024 12:38:08 +0000
Subject: [PATCH 13/13] Remove home of bookmarks-remote-sync-send

---
 shared/bookmarks/remote-sync-send.nix | 2 --
 1 file changed, 2 deletions(-)

diff --git a/shared/bookmarks/remote-sync-send.nix b/shared/bookmarks/remote-sync-send.nix
index 8fda7400..d83ed2e7 100644
--- a/shared/bookmarks/remote-sync-send.nix
+++ b/shared/bookmarks/remote-sync-send.nix
@@ -36,8 +36,6 @@ in
   config = mkIf cfg.enable {
     users.users.bookmarks-remote-sync-send = {
       uid = 984;
-      home = "/var/lib/bookmarks-remote-sync-send";
-      createHome = true;
       isSystemUser = true;
       shell = pkgs.bashInteractive;
       group = "nogroup";