# MCP (Metacircular Control Plane) agent user and configuration.
#
# Creates a dedicated 'mcp' system user with rootless podman support.
# The agent runs as this user and manages containers for all platform
# services via /srv/.
{ pkgs, ... }:

{
  users.users.mcp = {
    isSystemUser = true;
    group = "mcp";
    home = "/srv/mcp";
    shell = pkgs.shadow; # nologin equivalent
    subUidRanges = [{ startUid = 100000; count = 65536; }];
    subGidRanges = [{ startGid = 100000; count = 65536; }];
    # Lingering enables user services (podman) to run without an active login session.
    linger = true;
  };

  users.groups.mcp = {};
}