desko: freeze uids/gids
this will allow (eventually) removing the /var/lib/nixos persisted state.
This commit is contained in:
parent
8a61be18e1
commit
3773aebac0
29
modules/universal/env/users.nix
vendored
29
modules/universal/env/users.nix
vendored
|
@ -1,4 +1,4 @@
|
|||
{ pkgs, lib, ... }:
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
# installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
|
||||
{
|
||||
|
@ -48,4 +48,31 @@
|
|||
permitRootLogin = "no";
|
||||
passwordAuthentication = false;
|
||||
};
|
||||
|
||||
# affix some UIDs which were historically auto-generated
|
||||
# TODO: these vary across machines -- because they're autogenerated.
|
||||
# we should use high-level uids for this.
|
||||
users.users.greeter.uid = 999;
|
||||
users.users.nm-iodine.uid = 998;
|
||||
users.users.sshd.uid = 997;
|
||||
users.users.usbmux.uid = 996;
|
||||
|
||||
users.groups.greeter.gid = 999;
|
||||
users.groups.polkituser.gid = 998;
|
||||
users.groups.sshd.gid = 997;
|
||||
users.groups.systemd-coredump.gid = 996;
|
||||
users.groups.usbmux.gid = 995;
|
||||
|
||||
# guarantee determinism in uid/gid generation for users:
|
||||
assertions = let
|
||||
uidAssertions = builtins.attrValues (builtins.mapAttrs (name: user: {
|
||||
assertion = user.uid != null;
|
||||
message = "non-deterministic user config detected: ${name}";
|
||||
}) config.users.users);
|
||||
gidAssertions = builtins.attrValues (builtins.mapAttrs (name: group: {
|
||||
assertion = group.gid != null;
|
||||
message = "non-deterministic group config detected: ${name}";
|
||||
}) config.users.groups);
|
||||
in uidAssertions ++ gidAssertions;
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user