From fb57e9aa5ba1fd1c11ef41a2ae36d3cc8ded04bf Mon Sep 17 00:00:00 2001 From: colin Date: Sun, 8 Jan 2023 06:46:07 +0000 Subject: [PATCH] cleanup the 'every user/group has an id' enforcement --- hosts/common/default.nix | 1 + hosts/common/ids.nix | 60 +++++++++++++++++++++++++ hosts/common/users.nix | 38 ---------------- hosts/desko/default.nix | 2 - hosts/rescue/default.nix | 3 -- hosts/servo/services/freshrss.nix | 2 - hosts/servo/services/gitea.nix | 1 - hosts/servo/services/jellyfin.nix | 2 - hosts/servo/services/nginx.nix | 2 - hosts/servo/services/pleroma.nix | 2 - hosts/servo/services/wikipedia.nix | 2 - hosts/servo/users.nix | 1 - modules/allocations.nix | 63 -------------------------- modules/default.nix | 2 +- modules/gui/default.nix | 2 - modules/gui/gnome.nix | 9 ---- modules/gui/phosh.nix | 15 ------- modules/gui/sway.nix | 4 -- modules/ids.nix | 72 ++++++++++++++++++++++++++++++ 19 files changed, 134 insertions(+), 149 deletions(-) create mode 100644 hosts/common/ids.nix delete mode 100644 modules/allocations.nix create mode 100644 modules/ids.nix diff --git a/hosts/common/default.nix b/hosts/common/default.nix index d15bdd3d..197683c8 100644 --- a/hosts/common/default.nix +++ b/hosts/common/default.nix @@ -6,6 +6,7 @@ ./fs.nix ./hardware ./i2p.nix + ./ids.nix ./machine-id.nix ./net.nix ./secrets.nix diff --git a/hosts/common/ids.nix b/hosts/common/ids.nix new file mode 100644 index 00000000..aefa1a2a --- /dev/null +++ b/hosts/common/ids.nix @@ -0,0 +1,60 @@ +{ ... }: + +{ + # legacy servo users, some are inconvenient to migrate + sane.ids.dhcpcd.gid = 991; + sane.ids.dhcpcd.uid = 992; + sane.ids.gitea.gid = 993; + sane.ids.git.uid = 994; + sane.ids.jellyfin.gid = 994; + sane.ids.pleroma.gid = 995; + sane.ids.jellyfin.uid = 996; + sane.ids.acme.gid = 996; + sane.ids.pleroma.uid = 997; + sane.ids.acme.uid = 998; + + # greetd (used by sway) + sane.ids.greeter.uid = 999; + sane.ids.greeter.gid = 999; + + # new servo users + sane.ids.freshrss.uid = 2401; + sane.ids.freshrss.gid = 2401; + sane.ids.mediawiki.uid = 2402; + + sane.ids.colin.uid = 1000; + sane.ids.guest.uid = 1100; + + # found on all hosts + sane.ids.sshd.uid = 2001; # 997 + sane.ids.sshd.gid = 2001; # 997 + sane.ids.polkituser.gid = 2002; # 998 + sane.ids.systemd-coredump.gid = 2003; # 996 + sane.ids.nscd.uid = 2004; + sane.ids.nscd.gid = 2004; + sane.ids.systemd-oom.uid = 2005; + sane.ids.systemd-oom.gid = 2005; + + # found on graphical hosts + sane.ids.nm-iodine.uid = 2101; # desko/moby/lappy + + # found on desko host + # from services.usbmuxd + sane.ids.usbmux.uid = 2204; + sane.ids.usbmux.gid = 2204; + + + # originally found on moby host + # gnome core-shell + sane.ids.avahi.uid = 2304; + sane.ids.avahi.gid = 2304; + sane.ids.colord.uid = 2305; + sane.ids.colord.gid = 2305; + sane.ids.geoclue.uid = 2306; + sane.ids.geoclue.gid = 2306; + # gnome core-os-services + sane.ids.rtkit.uid = 2307; + sane.ids.rtkit.gid = 2307; + # phosh + sane.ids.feedbackd.gid = 2308; +} diff --git a/hosts/common/users.nix b/hosts/common/users.nix index f0a4738f..ce8dbbaf 100644 --- a/hosts/common/users.nix +++ b/hosts/common/users.nix @@ -5,9 +5,6 @@ with lib; let cfg = config.sane.users; fs = sane-lib.fs; - # see nixpkgs/nixos/modules/services/networking/dhcpcd.nix - hasDHCP = config.networking.dhcpcd.enable && - (config.networking.useDHCP || any (i: i.useDHCP == true) (attrValues config.networking.interfaces)); in { options = { @@ -29,7 +26,6 @@ in home = "/home/colin"; createHome = true; homeMode = "0700"; - uid = config.sane.allocations.colin-uid; # i don't get exactly what this is, but nixos defaults to this non-deterministically # in /var/lib/nixos/auto-subuid-map and i don't want that. subUidRanges = [ @@ -111,7 +107,6 @@ in users.users.guest = mkIf cfg.guest.enable { isNormalUser = true; home = "/home/guest"; - uid = config.sane.allocations.guest-uid; subUidRanges = [ { startUid=200000; count=1; } ]; @@ -123,13 +118,6 @@ in ]; }; - users.users.dhcpcd = mkIf hasDHCP { - uid = config.sane.allocations.dhcpcd-uid; - }; - users.groups.dhcpcd = mkIf hasDHCP { - gid = config.sane.allocations.dhcpcd-gid; - }; - security.sudo = { enable = true; wheelNeedsPassword = false; @@ -140,31 +128,5 @@ in permitRootLogin = "no"; passwordAuthentication = false; }; - - # affix some UIDs which were historically auto-generated - users.users.sshd.uid = config.sane.allocations.sshd-uid; - users.groups.polkituser.gid = config.sane.allocations.polkituser-gid; - users.groups.sshd.gid = config.sane.allocations.sshd-gid; - users.groups.systemd-coredump.gid = config.sane.allocations.systemd-coredump-gid; - users.users.nscd.uid = config.sane.allocations.nscd-uid; - users.groups.nscd.gid = config.sane.allocations.nscd-gid; - users.users.systemd-oom.uid = config.sane.allocations.systemd-oom-uid; - users.groups.systemd-oom.gid = config.sane.allocations.systemd-oom-gid; - - # guarantee determinism in uid/gid generation for users: - assertions = let - uidAssertions = builtins.attrValues (builtins.mapAttrs (name: user: { - assertion = user.uid != null; - message = "non-deterministic uid detected for: ${name}"; - }) config.users.users); - gidAssertions = builtins.attrValues (builtins.mapAttrs (name: group: { - assertion = group.gid != null; - message = "non-deterministic gid detected for: ${name}"; - }) config.users.groups); - autoSubAssertions = builtins.attrValues (builtins.mapAttrs (name: user: { - assertion = !user.autoSubUidGidRange; - message = "non-deterministic subUids/Guids detected for: ${name}"; - }) config.users.users); - in uidAssertions ++ gidAssertions ++ autoSubAssertions; }; } diff --git a/hosts/desko/default.nix b/hosts/desko/default.nix index bf409f98..92b8a5f2 100644 --- a/hosts/desko/default.nix +++ b/hosts/desko/default.nix @@ -17,8 +17,6 @@ # needed to use libimobiledevice/ifuse, for iphone sync services.usbmuxd.enable = true; - users.users.usbmux.uid = config.sane.allocations.usbmux-uid; - users.groups.usbmux.gid = config.sane.allocations.usbmux-gid; sops.secrets.colin-passwd = { sopsFile = ../../secrets/desko.yaml; diff --git a/hosts/rescue/default.nix b/hosts/rescue/default.nix index e3cf402f..95dff909 100644 --- a/hosts/rescue/default.nix +++ b/hosts/rescue/default.nix @@ -8,9 +8,6 @@ boot.loader.efi.canTouchEfiVariables = false; sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ]; - users.users.dhcpcd.uid = config.sane.allocations.dhcpcd-uid; - users.groups.dhcpcd.gid = config.sane.allocations.dhcpcd-gid; - # docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion system.stateVersion = "21.05"; } diff --git a/hosts/servo/services/freshrss.nix b/hosts/servo/services/freshrss.nix index 22270944..b371ae0c 100644 --- a/hosts/servo/services/freshrss.nix +++ b/hosts/servo/services/freshrss.nix @@ -20,8 +20,6 @@ { user = "freshrss"; group = "freshrss"; directory = "/var/lib/freshrss"; } ]; - users.users.freshrss.uid = config.sane.allocations.freshrss-uid; - users.groups.freshrss.gid = config.sane.allocations.freshrss-gid; services.freshrss.enable = true; services.freshrss.baseUrl = "https://rss.uninsane.org"; services.freshrss.virtualHost = "rss.uninsane.org"; diff --git a/hosts/servo/services/gitea.nix b/hosts/servo/services/gitea.nix index 248b5712..200e75b9 100644 --- a/hosts/servo/services/gitea.nix +++ b/hosts/servo/services/gitea.nix @@ -5,7 +5,6 @@ # TODO: mode? could be more granular { user = "git"; group = "gitea"; directory = "/var/lib/gitea"; } ]; - users.groups.gitea.gid = config.sane.allocations.gitea-gid; services.gitea.enable = true; services.gitea.user = "git"; # default is 'gitea' services.gitea.database.type = "postgres"; diff --git a/hosts/servo/services/jellyfin.nix b/hosts/servo/services/jellyfin.nix index d8e8b4e6..d29b88e6 100644 --- a/hosts/servo/services/jellyfin.nix +++ b/hosts/servo/services/jellyfin.nix @@ -63,7 +63,5 @@ lib.mkIf false sane.services.trust-dns.zones."uninsane.org".inet.CNAME."jelly" = "native"; - # users.users.jellyfin.uid = config.sane.allocations.jellyfin-uid; - # users.groups.jellyfin.gid = config.sane.allocations.jellyfin-gid; services.jellyfin.enable = true; } diff --git a/hosts/servo/services/nginx.nix b/hosts/servo/services/nginx.nix index bd3f0c17..077104ba 100644 --- a/hosts/servo/services/nginx.nix +++ b/hosts/servo/services/nginx.nix @@ -120,8 +120,6 @@ in security.acme.acceptTerms = true; security.acme.defaults.email = "admin.acme@uninsane.org"; - users.users.acme.uid = config.sane.allocations.acme-uid; - users.groups.acme.gid = config.sane.allocations.acme-gid; sane.persist.sys.plaintext = [ # TODO: mode? { user = "acme"; group = "acme"; directory = "/var/lib/acme"; } diff --git a/hosts/servo/services/pleroma.nix b/hosts/servo/services/pleroma.nix index 71762b66..c66600ac 100644 --- a/hosts/servo/services/pleroma.nix +++ b/hosts/servo/services/pleroma.nix @@ -10,8 +10,6 @@ # TODO: mode? could be more granular { user = "pleroma"; group = "pleroma"; directory = "/var/lib/pleroma"; } ]; - users.users.pleroma.uid = config.sane.allocations.pleroma-uid; - users.groups.pleroma.gid = config.sane.allocations.pleroma-gid; services.pleroma.enable = true; services.pleroma.secretConfigFile = config.sops.secrets.pleroma_secrets.path; services.pleroma.configs = [ diff --git a/hosts/servo/services/wikipedia.nix b/hosts/servo/services/wikipedia.nix index e0447c2a..b0efc1ce 100644 --- a/hosts/servo/services/wikipedia.nix +++ b/hosts/servo/services/wikipedia.nix @@ -11,8 +11,6 @@ lib.mkIf false sopsFile = ../../../secrets/servo.yaml; }; - users.users.mediawiki.uid = config.sane.allocations.mediawiki-uid; - services.mediawiki.enable = true; services.mediawiki.name = "Uninsane Wiki"; services.mediawiki.passwordFile = config.sops.secrets.mediawiki_pw.path; diff --git a/hosts/servo/users.nix b/hosts/servo/users.nix index ab21a9f1..dac446a6 100644 --- a/hosts/servo/users.nix +++ b/hosts/servo/users.nix @@ -12,7 +12,6 @@ home = "/var/lib/gitea"; useDefaultShell = true; group = "gitea"; - uid = config.sane.allocations.git-uid; isSystemUser = true; # sendmail access (not 100% sure if this is necessary) extraGroups = [ "postdrop" ]; diff --git a/modules/allocations.nix b/modules/allocations.nix deleted file mode 100644 index 883b06b1..00000000 --- a/modules/allocations.nix +++ /dev/null @@ -1,63 +0,0 @@ -{ lib, ... }: - -with lib; -let - mkId = id: mkOption { - default = id; - type = types.int; - }; -in -{ - options = { - # legacy servo users, some are inconvenient to migrate - sane.allocations.dhcpcd-gid = mkId 991; - sane.allocations.dhcpcd-uid = mkId 992; - sane.allocations.gitea-gid = mkId 993; - sane.allocations.git-uid = mkId 994; - sane.allocations.jellyfin-gid = mkId 994; - sane.allocations.pleroma-gid = mkId 995; - sane.allocations.jellyfin-uid = mkId 996; - sane.allocations.acme-gid = mkId 996; - sane.allocations.pleroma-uid = mkId 997; - sane.allocations.acme-uid = mkId 998; - sane.allocations.greeter-uid = mkId 999; - sane.allocations.greeter-gid = mkId 999; - - # new servo users - sane.allocations.freshrss-uid = mkId 2401; - sane.allocations.freshrss-gid = mkId 2401; - sane.allocations.mediawiki-uid = mkId 2402; - - sane.allocations.colin-uid = mkId 1000; - sane.allocations.guest-uid = mkId 1100; - - # found on all hosts - sane.allocations.sshd-uid = mkId 2001; # 997 - sane.allocations.sshd-gid = mkId 2001; # 997 - sane.allocations.polkituser-gid = mkId 2002; # 998 - sane.allocations.systemd-coredump-gid = mkId 2003; # 996 - sane.allocations.nscd-uid = mkId 2004; - sane.allocations.nscd-gid = mkId 2004; - sane.allocations.systemd-oom-uid = mkId 2005; - sane.allocations.systemd-oom-gid = mkId 2005; - - # found on graphical hosts - sane.allocations.nm-iodine-uid = mkId 2101; # desko/moby/lappy - - # found on desko host - sane.allocations.usbmux-uid = mkId 2204; - sane.allocations.usbmux-gid = mkId 2204; - - - # originally found on moby host - sane.allocations.avahi-uid = mkId 2304; - sane.allocations.avahi-gid = mkId 2304; - sane.allocations.colord-uid = mkId 2305; - sane.allocations.colord-gid = mkId 2305; - sane.allocations.geoclue-uid = mkId 2306; - sane.allocations.geoclue-gid = mkId 2306; - sane.allocations.rtkit-uid = mkId 2307; - sane.allocations.rtkit-gid = mkId 2307; - sane.allocations.feedbackd-gid = mkId 2308; - }; -} diff --git a/modules/default.nix b/modules/default.nix index f5d7ea5e..5eedd758 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -2,11 +2,11 @@ { imports = [ - ./allocations.nix ./feeds.nix ./fs ./gui ./home-manager + ./ids.nix ./packages.nix ./image.nix ./nixcache.nix diff --git a/modules/gui/default.nix b/modules/gui/default.nix index 941024f6..ce602fb5 100644 --- a/modules/gui/default.nix +++ b/modules/gui/default.nix @@ -23,8 +23,6 @@ in config = lib.mkIf cfg.enable { sane.packages.enableGuiPkgs = lib.mkDefault true; - # all GUIs use network manager? - users.users.nm-iodine.uid = config.sane.allocations.nm-iodine-uid; # preserve backlight brightness across power cycles # see `man systemd-backlight` diff --git a/modules/gui/gnome.nix b/modules/gui/gnome.nix index 401ecf82..ff612201 100644 --- a/modules/gui/gnome.nix +++ b/modules/gui/gnome.nix @@ -15,15 +15,6 @@ in config = mkIf cfg.enable { sane.gui.enable = true; - users.users.avahi.uid = config.sane.allocations.avahi-uid; - users.groups.avahi.gid = config.sane.allocations.avahi-gid; - users.users.colord.uid = config.sane.allocations.colord-uid; - users.groups.colord.gid = config.sane.allocations.colord-gid; - users.users.geoclue.uid = config.sane.allocations.geoclue-uid; - users.groups.geoclue.gid = config.sane.allocations.geoclue-gid; - users.users.rtkit.uid = config.sane.allocations.rtkit-uid; - users.groups.rtkit.gid = config.sane.allocations.rtkit-gid; - # start gnome/gdm on boot services.xserver.enable = true; services.xserver.desktopManager.gnome.enable = true; diff --git a/modules/gui/phosh.nix b/modules/gui/phosh.nix index 590a003f..3c607779 100644 --- a/modules/gui/phosh.nix +++ b/modules/gui/phosh.nix @@ -24,21 +24,6 @@ in { sane.gui.enable = true; - # gnome core-os-services - users.users.rtkit.uid = config.sane.allocations.rtkit-uid; - users.groups.rtkit.gid = config.sane.allocations.rtkit-gid; - - # gnome core-shell - users.users.avahi.uid = config.sane.allocations.avahi-uid; - users.users.colord.uid = config.sane.allocations.colord-uid; - users.users.geoclue.uid = config.sane.allocations.geoclue-uid; - users.groups.avahi.gid = config.sane.allocations.avahi-gid; - users.groups.colord.gid = config.sane.allocations.colord-gid; - users.groups.geoclue.gid = config.sane.allocations.geoclue-gid; - - # phosh - users.groups.feedbackd.gid = config.sane.allocations.feedbackd-gid; - # docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix services.xserver.desktopManager.phosh = { enable = true; diff --git a/modules/gui/sway.nix b/modules/gui/sway.nix index e007283c..a109bb1f 100644 --- a/modules/gui/sway.nix +++ b/modules/gui/sway.nix @@ -23,10 +23,6 @@ in config = mkIf cfg.enable { sane.gui.enable = true; - # greetd - users.users.greeter.uid = config.sane.allocations.greeter-uid; - users.groups.greeter.gid = config.sane.allocations.greeter-gid; - programs.sway = { # we configure sway with home-manager, but this enable gets us e.g. opengl and fonts enable = true; diff --git a/modules/ids.nix b/modules/ids.nix new file mode 100644 index 00000000..21694dea --- /dev/null +++ b/modules/ids.nix @@ -0,0 +1,72 @@ +{ lib, config, ... }: + +with lib; +let + cfg = config.sane.ids; + id = types.submodule { + options = { + uid = mkOption { + type = types.nullOr types.int; + default = null; + }; + gid = mkOption { + type = types.nullOr types.int; + default = null; + }; + }; + }; + + userOpts = { name, ... }: { + config = + let + ent-ids = cfg."${name}" or {}; + uid = ent-ids.uid or null; + in + { + uid = lib.mkIf (uid != null) uid; + }; + }; + + groupOpts = { name, ... }: { + config = + let + ent-ids = cfg."${name}" or {}; + gid = ent-ids.gid or null; + in + { + gid = lib.mkIf (gid != null) gid; + }; + }; +in +{ + options = { + sane.ids = mkOption { + type = types.attrsOf id; + default = {}; + }; + users.users = mkOption { + type = types.attrsOf (types.submodule userOpts); + }; + users.groups = mkOption { + type = types.attrsOf (types.submodule groupOpts); + }; + }; + + config = { + # guarantee determinism in uid/gid generation for users: + assertions = let + uidAssertions = builtins.attrValues (builtins.mapAttrs (name: user: { + assertion = user.uid != null; + message = "non-deterministic uid detected for: ${name}"; + }) config.users.users); + gidAssertions = builtins.attrValues (builtins.mapAttrs (name: group: { + assertion = group.gid != null; + message = "non-deterministic gid detected for: ${name}"; + }) config.users.groups); + autoSubAssertions = builtins.attrValues (builtins.mapAttrs (name: user: { + assertion = !user.autoSubUidGidRange; + message = "non-deterministic subUids/Guids detected for: ${name}"; + }) config.users.users); + in uidAssertions ++ gidAssertions ++ autoSubAssertions; + }; +}