desko: freeze uids/gids

this will allow (eventually) removing the /var/lib/nixos persisted
state.

modules/universal/env/users.nix

@@ -1,4 +1,4 @@
-{ pkgs, lib, ... }:
+{ config, pkgs, lib, ... }:
 
 # installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
 {
@@ -48,4 +48,31 @@
     permitRootLogin = "no";
     passwordAuthentication = false;
   };
+
+  # affix some UIDs which were historically auto-generated
+  # TODO: these vary across machines -- because they're autogenerated.
+  #   we should use high-level uids for this.
+  users.users.greeter.uid = 999;
+  users.users.nm-iodine.uid = 998;
+  users.users.sshd.uid = 997;
+  users.users.usbmux.uid = 996;
+
+  users.groups.greeter.gid = 999;
+  users.groups.polkituser.gid = 998;
+  users.groups.sshd.gid = 997;
+  users.groups.systemd-coredump.gid = 996;
+  users.groups.usbmux.gid = 995;
+
+  # guarantee determinism in uid/gid generation for users:
+  assertions = let
+    uidAssertions = builtins.attrValues (builtins.mapAttrs (name: user: {
+      assertion = user.uid != null;
+      message = "non-deterministic user config detected: ${name}";
+    }) config.users.users);
+    gidAssertions = builtins.attrValues (builtins.mapAttrs (name: group: {
+      assertion = group.gid != null;
+      message = "non-deterministic group config detected: ${name}";
+    }) config.users.groups);
+  in uidAssertions ++ gidAssertions;
+
 }