Refactor to fix user permissions when using cli as another user

inquisitor.nix

@@ -13,6 +13,15 @@ let
   # Define the inquisitor data directory
   inquisiDir = "/var/lib/inquisitor";
 
+  # Define the inquisitor service user
+  inquisitorUser = {
+    name = "inquisitor";
+    description = "Inquisitor service user";
+    isSystemUser = true;
+    shell = pkgs.bashInteractive;
+    packages = [ inquisitor pkgs.cron ];
+  };
+
   # Create the inquisitor config file in the nix store, pointing to /var/lib/
   inquisitorConfig = pkgs.writeTextFile {
     name = "inquisitor.conf";
@@ -25,9 +34,9 @@ let
     '';
   };
 
-  # Create a run script for the server that sets up all necessary state
+  # Create a setup script to ensure the service directory state
-  inquisitorRun = pkgs.writeShellScriptBin "run.sh" ''
+  inquisitorSetup = pkgs.writeShellScriptBin "inquisitor-setup.sh" ''
-    # Ensure inquisitor directories and inquisitor source folder
+    # Ensure the service directory and the default source directory
     ${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/data/inquisitor/
     ${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/sources/
     ${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/cache/
@@ -35,42 +44,54 @@ let
       ${pkgs.coreutils}/bin/echo "{}" > ${inquisiDir}/data/inquisitor/state
     fi
 
-    # Run inquisitor
+    # Ensure the service owns the folders
+    chown -R ${inquisitorUser.name} ${inquisiDir}
+  '';
+
+  # Create a run script for the server
+  inquisitorRun = pkgs.writeShellScriptBin "inquisitor-run.sh" ''
     cd ${inquisiDir}
     ${inquisitor}/bin/gunicorn \
       --bind=localhost:24133 \
       --workers=4 \
-      --env INQUISITOR_CONFIG=${inquisitorConfig} \
       --log-level debug \
       "inquisitor.app:wsgi()"
   '';
 
-  # Create a wrapper script to let users call into inquisitor safely
+  # Create a wrapper to execute the cli as the service user
   inquisitorWrapper = pkgs.writeShellScriptBin "inq" ''
-    INQUISITOR_CONFIG=${inquisitorConfig} ${inquisitor}/bin/inquisitor "$@"
+    sudo --user=inquisitor ${inquisitor}/bin/inquisitor "$@"
   '';
 in
 {
-  # Create a user for the service
+  users.users.inquisitor = inquisitorUser;
-  users.users.inquisitor = {
+
-    description = "Inquisitor service user";
+  # Link the config in /etc to avoid envvar shenanigans
-    isSystemUser = true;
+  environment.etc."inquisitor.conf".source = "${inquisitorConfig}";
-    home = "${inquisiDir}";
-    createHome = true;
-    shell = pkgs.bashInteractive;
-    packages = [ inquisitor pkgs.cron ];
-  };
 
   # Give all users the inq wrapper
   environment.systemPackages = [ inquisitorWrapper ];
 
+  # Allow the sudo in the cli wrapper without password
+  security.sudo.extraRules = [{
+    commands = [{
+      command = "${inquisitor}/bin/inquisitor";
+      options = [ "NOPASSWD" ];
+    }];
+    runAs = "${inquisitorUser.name}";
+    groups = [ "users" ];
+  }];
+
+  # Run the setup script on activation
+  system.activationScripts.inquisitorSetup = "${inquisitorSetup}/bin/inquisitor-setup.sh";
+
   # Set up the inquisitor service
   systemd.services.inquisitor =
   {
     description = "Inquisitor server";
-    script = "${inquisitorRun}/bin/run.sh";
+    script = "${inquisitorRun}/bin/inquisitor-run.sh";
     serviceConfig = {
-      User = "inquisitor";
+      User = "${inquisitorUser.name}";
       Type = "simple";
     };
     wantedBy = [ "multi-user.target" ];