From fd20b1b44bfe538060477b1888eb0ee5a490b251 Mon Sep 17 00:00:00 2001
From: Antonis Kotronakis <mail@akotro.dev>
Date: Wed, 15 Oct 2025 01:20:03 +0100
Subject: [PATCH] nixos/tsidp: pass dir flag to avoid state being created in
 $HOME/.config

---
 nixos/modules/services/security/tsidp.nix | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/nixos/modules/services/security/tsidp.nix b/nixos/modules/services/security/tsidp.nix
index f79c4eceaf3e..4b854cf183ca 100644
--- a/nixos/modules/services/security/tsidp.nix
+++ b/nixos/modules/services/security/tsidp.nix
@@ -23,6 +23,8 @@ let
     nullOr
     ;
 
+  stateDir = "/var/lib/tsidp";
+
   cfg = config.services.tsidp;
 in
 {
@@ -154,7 +156,7 @@ in
         ];
 
         environment = {
-          HOME = "/var/lib/tsidp";
+          HOME = stateDir;
           TAILSCALE_USE_WIP_CODE = "1"; # Needed while tsidp is in development (< v1.0.0).
         };
 
@@ -163,6 +165,7 @@ in
           ExecStart =
             let
               args = lib.cli.toGNUCommandLineShell { mkOptionName = k: "-${k}"; } {
+                dir = stateDir;
                 hostname = cfg.settings.hostName;
                 port = cfg.settings.port;
                 local-port = cfg.settings.localPort;
@@ -179,8 +182,8 @@ in
           RestartSec = "15";
 
           DynamicUser = true;
-          StateDirectory = "tsidp";
-          WorkingDirectory = "/var/lib/tsidp";
+          StateDirectory = baseNameOf stateDir;
+          WorkingDirectory = stateDir;
           ReadWritePaths = mkIf (cfg.settings.useLocalTailscaled) [
             "/var/run/tailscale" # needed due to `ProtectSystem = "strict";`
             "/var/lib/tailscale"