From 877610c1ce3efa1743643a7589e4079cfd0b1917 Mon Sep 17 00:00:00 2001
From: Giacomo Leidi <goodoldpaul@autistici.org>
Date: Wed, 10 Sep 2025 09:21:53 +0200
Subject: [PATCH] services: oci: Fix OCI backed Shepherd services HOME
 variable.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This patch allows containers run with podman to run each with their own
specific user.

* doc/guix.texi: Fix wrong type for oci-container-configuration's
shepherd-dependencies field.
* gnu/services/containers.scm (oci-container-shepherd-service): In case
a specific container is not run through the user provisioned by the
oci-service-type, its environment is different from the globally
provisioned one and must be recomputed.

Change-Id: I5d636ad0616ced0af124002de4403da3067334de
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
---
 doc/guix.texi               | 2 +-
 gnu/services/containers.scm | 7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 0924aebf4ad03cd964c093ded0589ecb72378017..00d235b3b05f55ec2d3117595c3410d46c68e5d5 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -44867,7 +44867,7 @@ is @code{#f}, the service has to be started manually with @command{herd start}.
 Whether to have Shepherd restart the service when it stops, for instance when
 the underlying process dies.
 
-@item @code{shepherd-actions} (default: @code{'()}) (type: list-of-symbols)
+@item @code{shepherd-actions} (default: @code{'()}) (type: list-of-shepherd-actions)
 This is a list of @code{shepherd-action} records defining actions supported
 by the service.
 
diff --git a/gnu/services/containers.scm b/gnu/services/containers.scm
index c9eadea9b4793393ee950d550e25708328a22dc3..0c3d6463e45a6045aa3bad87c98c127605a2319f 100644
--- a/gnu/services/containers.scm
+++ b/gnu/services/containers.scm
@@ -1277,7 +1277,12 @@ by CONFIG through RUNTIME-CLI."
     (define environment-variables
       #~(append
          (list #$@host-environment)
-         (list #$@(oci-runtime-state-runtime-environment runtime-state))))
+         ;; In case this specific container is not run through the user
+         ;; provisioned by the oci-service-type, its environment is different
+         ;; from the globally provisioned one and must be recomputed.
+         (list #$@(if (maybe-value-set? user)
+                      (oci-runtime-system-environment runtime user)
+                      (oci-runtime-state-runtime-environment runtime-state)))))
     (define invocation
       (oci-container-run-invocation
        (oci-container-configuration->oci-container-invocation