From 293dbdab940e7adbb12303e91ad8f27b66354931 Mon Sep 17 00:00:00 2001
From: Kaare Hoff Skovgaard <kaare@kaareskovgaard.net>
Date: Sat, 19 Jul 2025 22:41:55 +0200
Subject: [PATCH] Change set unix user command to service

---
 .../vault-server-approle/unix-user.nix          | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix b/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix
index 6ddd085..7985736 100644
--- a/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix
+++ b/nix/modules/nixos/infrastructure/vault-server-approle/unix-user.nix
@@ -6,7 +6,8 @@
 }:
 let
   cfg = config.khscodes.infrastructure.vault-server-approle;
-  userExists = username: (builtins.hasAttr username config.users.users) && config.users.users.enable;
+  userExists =
+    username: (builtins.hasAttr username config.users.users) && config.users.users.khs.enable;
   setKhsPassword = pkgs.writeShellApplication {
     name = "set-khs-password";
     runtimeInputs = [
@@ -37,8 +38,20 @@ in
         perms = "0600";
         owner = "root";
         group = "root";
-        exec = lib.getExe setKhsPassword;
+        restartUnits = [ "set-khs-password.service" ];
       }
     ];
+    systemd.services.set-khs-password = {
+      enable = true;
+      unitConfig = {
+        ConditionPathExists = "/run/unix-users/khs";
+      };
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+        Group = "root";
+        ExecStart = lib.getExe setKhsPassword;
+      };
+    };
   };
 }