From d5967cf392bbde851ef1184fb4a5d1830c565129 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@hoyer.xyz>
Date: Tue, 3 Feb 2026 16:14:21 +0100
Subject: [PATCH] feat(nix): improve Nextcloud Claude Bot security and user
 setup

- Set `User` and `Group` for the bot service to enhance security and isolation.
- Added system user and group for `claude-bot` with defined home directory.
- Modified secrets ownership to align with the new bot user.
---
 .../mx/nextcloud-claude-bot/default.nix       |  1 +
 .../mx/nextcloud-claude-bot/module.nix        | 20 ++++++++++++++-----
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/systems/x86_64-linux/mx/nextcloud-claude-bot/default.nix b/systems/x86_64-linux/mx/nextcloud-claude-bot/default.nix
index 7d61fe7..234efd7 100644
--- a/systems/x86_64-linux/mx/nextcloud-claude-bot/default.nix
+++ b/systems/x86_64-linux/mx/nextcloud-claude-bot/default.nix
@@ -12,6 +12,7 @@
   sops.secrets."nextcloud-claude-bot/secret" = {
     sopsFile = ../../../../.secrets/hetzner/nextcloud-claude-bot.yaml;
     restartUnits = [ "nextcloud-claude-bot.service" ];
+    owner = "claude-bot";
   };
 
   # Nginx location for Nextcloud to send webhooks to the bot
diff --git a/systems/x86_64-linux/mx/nextcloud-claude-bot/module.nix b/systems/x86_64-linux/mx/nextcloud-claude-bot/module.nix
index 7b2cda0..eb1a0a7 100644
--- a/systems/x86_64-linux/mx/nextcloud-claude-bot/module.nix
+++ b/systems/x86_64-linux/mx/nextcloud-claude-bot/module.nix
@@ -83,6 +83,7 @@ in {
       after = [ "network.target" ];
       
       environment = {
+        HOME = "/var/lib/nextcloud-claude-bot";
         BOT_HOST = cfg.host;
         BOT_PORT = toString cfg.port;
         NEXTCLOUD_URL = cfg.nextcloudUrl;
@@ -99,9 +100,11 @@ in {
         ExecStart = "${pythonEnv}/bin/uvicorn nextcloud_claude_bot:app --host ${cfg.host} --port ${toString cfg.port}";
         Restart = "always";
         RestartSec = 5;
-        
+
+        User = "claude-bot";
+        Group = "claude-bot";
+
         # Security hardening
-        DynamicUser = true;
         NoNewPrivileges = true;
         ProtectSystem = "strict";
         ProtectHome = "read-only";
@@ -115,15 +118,22 @@ in {
         RestrictSUIDSGID = true;
         MemoryDenyWriteExecute = false; # Python needs this
         LockPersonality = true;
-        
+
         # Bot secret
         LoadCredential = "bot-secret:${cfg.botSecretFile}";
-        
+
         # Claude CLI needs home for config
         StateDirectory = "nextcloud-claude-bot";
-        Environment = "HOME=/var/lib/nextcloud-claude-bot";
       };
     };
+
+    users.users.claude-bot = {
+      isSystemUser = true;
+      group = "claude-bot";
+      home = "/var/lib/nextcloud-claude-bot";
+    };
+
+    users.groups.claude-bot = {};
     
     # Nginx reverse proxy config (optional, if you want external access)
     # services.nginx.virtualHosts."cloud.example.com".locations."/claude-bot/" = {