From d4960747970b600b42f2f2a18336271d8616f4e5 Mon Sep 17 00:00:00 2001
From: Manuel Bluhm <manuel@ssrc.tii.ae>
Date: Fri, 10 Jan 2025 17:06:30 +0400
Subject: [PATCH] feat(appvm module): limit the user agent by UID

Add condition to limit the user session for appvm module to the
specified UID only. Prevents running multiple instances, e.g.,
for admin account. Service does not run anyway as the address
is already bound.

Signed-off-by: Manuel Bluhm <manuel@ssrc.tii.ae>
---
 nixos/modules/appvm.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/nixos/modules/appvm.nix b/nixos/modules/appvm.nix
index 977115c..3cec3c3 100644
--- a/nixos/modules/appvm.nix
+++ b/nixos/modules/appvm.nix
@@ -55,6 +55,12 @@ in
       ];
     };
 
+    user = mkOption {
+      description = "Limit running this agent only in session of user with this UID.";
+      type = types.int;
+      default = 1000;
+    };
+
     socketProxy = mkOption {
       description = ''
         Optional socket proxy module. If not provided, the module will not use a socket proxy.
@@ -141,6 +147,7 @@ in
       after = [ "sockets.target" ];
       wants = [ "sockets.target" ];
       wantedBy = [ "default.target" ];
+      unitConfig.ConditionUser = "${toString cfg.user}";
       serviceConfig = {
         Type = "exec";
         ExecStart = "${givc-agent}/bin/givc-agent";