From fe70af3ad68c907d9bb37f1c58792cd329a124ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Sat, 4 Nov 2023 09:19:56 +0100
Subject: [PATCH] nixos/master: make buildbot a system user

---
 nix/master.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/nix/master.nix b/nix/master.nix
index ce0756f..e79761a 100644
--- a/nix/master.nix
+++ b/nix/master.nix
@@ -83,8 +83,18 @@ in
     };
   };
   config = lib.mkIf cfg.enable {
+    # By default buildbot uses a normal user, which is not a good default, because
+    # we grant normal users potentially access to other resources. Also
+    # we don't to be able to ssh into buildbot.
+
+    users.users.buildbot = {
+      isNormalUser = lib.mkForce false;
+      isSystemUser = true;
+    };
+
     services.buildbot-master = {
       enable = true;
+      home = "/var/lib/buildbot";
       extraImports = ''
         from datetime import timedelta
         from buildbot_nix import GithubConfig, NixConfigurator