nixos: Add atticd-atticadm wrapper

Now `atticd-atticadm` can be used to run `atticadm` as the `atticd`
user. `atticd` is no longer added to the system path.

integration-tests/basic/default.nix

@@ -5,7 +5,7 @@ let
   serverConfigFile = config.nodes.server.services.atticd.configFile;
 
   cmd = {
-    atticadm = ". /etc/atticd.env && export ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64 && atticadm -f ${serverConfigFile}";
+    atticadm = "atticd-atticadm";
     atticd = ". /etc/atticd.env && export ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64 && atticd -f ${serverConfigFile}";
   };
 
@@ -129,6 +129,8 @@ in {
           };
         };
 
+        environment.systemPackages = [ pkgs.attic-server ];
+
         networking.firewall.allowedTCPPorts = [ 8080 ];
       };
 

nixos/atticd.nix

@@ -21,6 +21,20 @@ let
     cat <$configFile >$out
   '';
 
+  atticadmWrapper = pkgs.writeShellScriptBin "atticd-atticadm" ''
+    exec systemd-run \
+      --pty \
+      --same-dir \
+      --wait \
+      --collect \
+      --service-type=exec \
+      --property=EnvironmentFile=${cfg.credentialsFile} \
+      --property=DynamicUser=yes \
+      --property=User=atticd \
+      -- \
+      ${cfg.package}/bin/atticadm -f ${checkedConfigFile} "$@"
+  '';
+
   hasLocalPostgresDB = let
     url = cfg.settings.database.url;
     localStrings = [ "localhost" "127.0.0.1" "/run/postgresql" ];
@@ -129,7 +143,7 @@ in
         };
       };
 
-      environment.systemPackages = [ cfg.package ];
+      environment.systemPackages = [ atticadmWrapper ];
     }
     (lib.mkIf cfg.useFlakeCompatOverlay {
       nixpkgs.overlays = [ overlay ];