From cfc6c7e4360c85eb0f24df7140d4c81d6fb2ebde Mon Sep 17 00:00:00 2001
From: thalin <28450+thalin@users.noreply.github.com>
Date: Sat, 19 Jul 2025 23:29:20 -0400
Subject: [PATCH 1/4] Make some geth service config overrideable.

---
 modules/geth/default.nix | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/modules/geth/default.nix b/modules/geth/default.nix
index e6ad580b9..908b2c361 100644
--- a/modules/geth/default.nix
+++ b/modules/geth/default.nix
@@ -19,6 +19,7 @@
     flatten
     mapAttrs'
     mapAttrsToList
+    mkDefault
     mkIf
     mkMerge
     nameValuePair
@@ -121,9 +122,9 @@ in {
               serviceConfig = mkMerge [
                 baseServiceConfig
                 {
-                  User = serviceName;
-                  StateDirectory = serviceName;
-                  ExecStart = "${cfg.package}/bin/geth ${scriptArgs}";
+                  User = mkDefault serviceName;
+                  StateDirectory = mkDefault serviceName;
+                  ExecStart = mkDefault "${cfg.package}/bin/geth ${scriptArgs}";
                 }
                 (mkIf (cfg.args.authrpc.jwtsecret != null) {
                   LoadCredential = ["jwtsecret:${cfg.args.authrpc.jwtsecret}"];

From b0a39663a78adc04865b1e1ff541ec7868a1a151 Mon Sep 17 00:00:00 2001
From: thalin <28450+thalin@users.noreply.github.com>
Date: Thu, 21 Aug 2025 14:32:01 -0400
Subject: [PATCH 2/4] Use the same idea as prysm-beacon to set the user.

---
 modules/geth/default.nix | 5 ++++-
 modules/geth/options.nix | 6 ++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/modules/geth/default.nix b/modules/geth/default.nix
index 908b2c361..bee60b51d 100644
--- a/modules/geth/default.nix
+++ b/modules/geth/default.nix
@@ -122,7 +122,10 @@ in {
               serviceConfig = mkMerge [
                 baseServiceConfig
                 {
-                  User = mkDefault serviceName;
+                  User =
+                    if cfg.user != null
+                    then cfg.user
+                    else mkDefault serviceName;
                   StateDirectory = mkDefault serviceName;
                   ExecStart = mkDefault "${cfg.package}/bin/geth ${scriptArgs}";
                 }
diff --git a/modules/geth/options.nix b/modules/geth/options.nix
index e1392ae07..0206e6756 100644
--- a/modules/geth/options.nix
+++ b/modules/geth/options.nix
@@ -9,6 +9,12 @@
     options = rec {
       enable = mkEnableOption "Go Ethereum Node";
 
+      user = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = "User to run the service as.";
+      };
+
       inherit args;
 
       extraArgs = mkOption {

From e308981f2c3a4f709a5eaf5f8670444d0ce40a11 Mon Sep 17 00:00:00 2001
From: thalin <28450+thalin@users.noreply.github.com>
Date: Sat, 23 Aug 2025 18:24:59 -0400
Subject: [PATCH 3/4] If a user is set, turn off DynamicUser.

Also set all the settings DynamicUser automatically sets. This
ensures that the environment between the two options stays
consistent.
---
 modules/geth/default.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/modules/geth/default.nix b/modules/geth/default.nix
index bee60b51d..e64a2a4cf 100644
--- a/modules/geth/default.nix
+++ b/modules/geth/default.nix
@@ -20,6 +20,7 @@
     mapAttrs'
     mapAttrsToList
     mkDefault
+    mkForce
     mkIf
     mkMerge
     nameValuePair
@@ -132,6 +133,14 @@ in {
                 (mkIf (cfg.args.authrpc.jwtsecret != null) {
                   LoadCredential = ["jwtsecret:${cfg.args.authrpc.jwtsecret}"];
                 })
+                (mkIf (cfg.user != null) {
+                  DynamicUser = mkForce false;
+                  RemoveIPC = mkDefault true;
+                  PrivateTmp = mkDefault true;
+                  NoNewPrivileges = mkDefault "strict";
+                  RestrictSUIDSGID = mkDefault true;
+                  ProtectSystem = mkDefault true;
+                })
               ];
             })
       )

From 3ce8aeea3aaf514c28a4a0343b2929e6b6b79e74 Mon Sep 17 00:00:00 2001
From: thalin <28450+thalin@users.noreply.github.com>
Date: Sun, 31 Aug 2025 21:29:53 -0400
Subject: [PATCH 4/4] Add new dynamicUser option to disable DynamicUser.

Default is true which leaves dynamicUser enabled, and when set to false
the systemd service DynamicUser option is disabled but all of the other
options which are automatically enabled by that option are set to
default enabled.
---
 modules/geth/default.nix |  2 +-
 modules/geth/options.nix | 10 ++++++++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/modules/geth/default.nix b/modules/geth/default.nix
index e64a2a4cf..4a8a8785e 100644
--- a/modules/geth/default.nix
+++ b/modules/geth/default.nix
@@ -133,7 +133,7 @@ in {
                 (mkIf (cfg.args.authrpc.jwtsecret != null) {
                   LoadCredential = ["jwtsecret:${cfg.args.authrpc.jwtsecret}"];
                 })
-                (mkIf (cfg.user != null) {
+                (mkIf (!cfg.dynamicUser) {
                   DynamicUser = mkForce false;
                   RemoveIPC = mkDefault true;
                   PrivateTmp = mkDefault true;
diff --git a/modules/geth/options.nix b/modules/geth/options.nix
index 0206e6756..ce51fa1e6 100644
--- a/modules/geth/options.nix
+++ b/modules/geth/options.nix
@@ -9,14 +9,20 @@
     options = rec {
       enable = mkEnableOption "Go Ethereum Node";
 
+      inherit args;
+
+      dynamicUser = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Whether to use systemd's DynamicUser feature.";
+      };
+
       user = mkOption {
         type = types.nullOr types.str;
         default = null;
         description = "User to run the service as.";
       };
 
-      inherit args;
-
       extraArgs = mkOption {
         type = types.listOf types.str;
         description = "Additional arguments to pass to Go Ethereum.";