From cfd282d97d57c947f1de8f85f2f56948eb9b30b6 Mon Sep 17 00:00:00 2001
From: Nathan Anderson <n8r@tuta.io>
Date: Sun, 26 Oct 2025 19:58:17 -0600
Subject: [PATCH] switch dufs user to nfs user

---
 shared/modules/services/dufs.nix | 16 ++++++++--------
 shared/server-configuration.nix  |  2 ++
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/shared/modules/services/dufs.nix b/shared/modules/services/dufs.nix
index 532e353..02c8899 100644
--- a/shared/modules/services/dufs.nix
+++ b/shared/modules/services/dufs.nix
@@ -41,13 +41,13 @@ in
     user = lib.mkOption {
       type = lib.types.str;
       default = "dufs";
-      description = "User to run dufs service as";
+      description = "User to run dufs service as (should match NFS share owner)";
     };
 
     group = lib.mkOption {
       type = lib.types.str;
       default = "dufs";
-      description = "Group to run dufs service as";
+      description = "Group to run dufs service as (should match NFS share group)";
     };
 
     publicInstance = {
@@ -166,20 +166,20 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    # Create dufs user and group
-    users.users.${cfg.user} = {
+    # Create dufs user and group only if using default user/group
+    users.users.${cfg.user} = lib.mkIf (cfg.user == "dufs") {
       isSystemUser = true;
       group = cfg.group;
       extraGroups = [ "users" ];  # Add to users group for access to shared files
       description = "dufs file server user";
     };
 
-    users.groups.${cfg.group} = {};
+    users.groups.${cfg.group} = lib.mkIf (cfg.group == "dufs") {};
 
-    # Ensure proper ownership of dufs directories
+    # Ensure directories exist (ownership should be managed by NFS or external system)
     systemd.tmpfiles.rules = [
-      "d ${cfg.servePathPublic} 0755 ${cfg.user} ${cfg.group} -"
-      "d ${cfg.servePathPrivate} 0755 ${cfg.user} ${cfg.group} -"
+      "d ${cfg.servePathPublic} 0755 - - -"
+      "d ${cfg.servePathPrivate} 0755 - - -"
     ];
 
     # Public read-only instance
diff --git a/shared/server-configuration.nix b/shared/server-configuration.nix
index 5ad2c64..66919aa 100644
--- a/shared/server-configuration.nix
+++ b/shared/server-configuration.nix
@@ -179,6 +179,8 @@ in
     services.dufs = {
       enable = true;
       openFirewall = true;
+      user = "kage";
+      group = "users";
 
       # Public read-only instance
       publicInstance = {