If a user is set, turn off DynamicUser.

Also set all the settings DynamicUser automatically sets. This
ensures that the environment between the two options stays
consistent.

Author: thalin

modules/geth/default.nix

@@ -20,6 +20,7 @@
     mapAttrs'
     mapAttrsToList
     mkDefault
+    mkForce
     mkIf
     mkMerge
     nameValuePair
@@ -132,6 +133,14 @@ in {
                 (mkIf (cfg.args.authrpc.jwtsecret != null) {
                   LoadCredential = ["jwtsecret:${cfg.args.authrpc.jwtsecret}"];
                 })
+                (mkIf (cfg.user != null) {
+                  DynamicUser = mkForce false;
+                  RemoveIPC = mkDefault true;
+                  PrivateTmp = mkDefault true;
+                  NoNewPrivileges = mkDefault "strict";
+                  RestrictSUIDSGID = mkDefault true;
+                  ProtectSystem = mkDefault true;
+                })
               ];
             })
       )