From d8fa2627f307e72a0d7f232168b137569f3a6dc6 Mon Sep 17 00:00:00 2001
From: Dominique Martinet <asmadeus@codewreck.org>
Date: Sat, 9 May 2020 20:43:24 +0200
Subject: [PATCH] mpd: remove user/group from conf

the options should not be set as we already change user with service
file, man mpd.conf says "Do not use this option if you start MPD as an
unprivileged user"

The group option actually is not documented at all anymore and probably
no longer exists.

These options get in the way of setting up confinement for the service,
as it would otherwise be pretty straightforward to setup, but even if
mpd is not root it would check the user exists within the chroot which
is more work (need to get nss working):

  systemd.services.mpd = {
    serviceConfig.BindPaths = [
      # mpd state dir
      "/var/lib/mpd"
      # notify systemd service started up
      "/run/systemd/notify"
    ];
    serviceConfig.BindReadOnlyPaths = [
      "/path/to/music:/var/lib/mpd/music"
    ];
    # ProtectSystem is not compatible with confinement
    serviceConfig.ProtectSystem = lib.mkForce false;
    confinement = {
      enable = true;
      binSh = null;
      mode = "chroot-only";
    };
  };
---
 nixos/modules/services/audio/mpd.nix | 2 --
 1 file changed, 2 deletions(-)

diff --git a/nixos/modules/services/audio/mpd.nix b/nixos/modules/services/audio/mpd.nix
index e20591b5beb..f4eb4a265a4 100644
--- a/nixos/modules/services/audio/mpd.nix
+++ b/nixos/modules/services/audio/mpd.nix
@@ -18,8 +18,6 @@ let
     ''}
     state_file          "${cfg.dataDir}/state"
     sticker_file        "${cfg.dataDir}/sticker.sql"
-    user                "${cfg.user}"
-    group               "${cfg.group}"
 
     ${optionalString (cfg.network.listenAddress != "any") ''bind_to_address "${cfg.network.listenAddress}"''}
     ${optionalString (cfg.network.port != 6600)  ''port "${toString cfg.network.port}"''}