feat(appvm module): limit the user agent by UID

Add condition to limit the user session for appvm module to the specified UID only. Prevents running multiple instances, e.g., for admin account. Service does not run anyway as the address is already bound. Signed-off-by: Manuel Bluhm <[email protected]>
tiiuae · Jan 10, 2025 · d496074 · d496074
1 parent 0780b02
commit d496074
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/nixos/modules/appvm.nix b/nixos/modules/appvm.nix
@@ -55,6 +55,12 @@ in
       ];
     };
 
+    user = mkOption {
+      description = "Limit running this agent only in session of user with this UID.";
+      type = types.int;
+      default = 1000;
+    };
+
     socketProxy = mkOption {
       description = ''
         Optional socket proxy module. If not provided, the module will not use a socket proxy.
@@ -141,6 +147,7 @@ in
       after = [ "sockets.target" ];
       wants = [ "sockets.target" ];
       wantedBy = [ "default.target" ];
+      unitConfig.ConditionUser = "${toString cfg.user}";
       serviceConfig = {
         Type = "exec";
         ExecStart = "${givc-agent}/bin/givc-agent";