cleanup the 'every user/group has an id' enforcement
This commit is contained in:
parent
f5acbbd830
commit
fb57e9aa5b
|
@ -6,6 +6,7 @@
|
||||||
./fs.nix
|
./fs.nix
|
||||||
./hardware
|
./hardware
|
||||||
./i2p.nix
|
./i2p.nix
|
||||||
|
./ids.nix
|
||||||
./machine-id.nix
|
./machine-id.nix
|
||||||
./net.nix
|
./net.nix
|
||||||
./secrets.nix
|
./secrets.nix
|
||||||
|
|
60
hosts/common/ids.nix
Normal file
60
hosts/common/ids.nix
Normal file
|
@ -0,0 +1,60 @@
|
||||||
|
{ ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
# legacy servo users, some are inconvenient to migrate
|
||||||
|
sane.ids.dhcpcd.gid = 991;
|
||||||
|
sane.ids.dhcpcd.uid = 992;
|
||||||
|
sane.ids.gitea.gid = 993;
|
||||||
|
sane.ids.git.uid = 994;
|
||||||
|
sane.ids.jellyfin.gid = 994;
|
||||||
|
sane.ids.pleroma.gid = 995;
|
||||||
|
sane.ids.jellyfin.uid = 996;
|
||||||
|
sane.ids.acme.gid = 996;
|
||||||
|
sane.ids.pleroma.uid = 997;
|
||||||
|
sane.ids.acme.uid = 998;
|
||||||
|
|
||||||
|
# greetd (used by sway)
|
||||||
|
sane.ids.greeter.uid = 999;
|
||||||
|
sane.ids.greeter.gid = 999;
|
||||||
|
|
||||||
|
# new servo users
|
||||||
|
sane.ids.freshrss.uid = 2401;
|
||||||
|
sane.ids.freshrss.gid = 2401;
|
||||||
|
sane.ids.mediawiki.uid = 2402;
|
||||||
|
|
||||||
|
sane.ids.colin.uid = 1000;
|
||||||
|
sane.ids.guest.uid = 1100;
|
||||||
|
|
||||||
|
# found on all hosts
|
||||||
|
sane.ids.sshd.uid = 2001; # 997
|
||||||
|
sane.ids.sshd.gid = 2001; # 997
|
||||||
|
sane.ids.polkituser.gid = 2002; # 998
|
||||||
|
sane.ids.systemd-coredump.gid = 2003; # 996
|
||||||
|
sane.ids.nscd.uid = 2004;
|
||||||
|
sane.ids.nscd.gid = 2004;
|
||||||
|
sane.ids.systemd-oom.uid = 2005;
|
||||||
|
sane.ids.systemd-oom.gid = 2005;
|
||||||
|
|
||||||
|
# found on graphical hosts
|
||||||
|
sane.ids.nm-iodine.uid = 2101; # desko/moby/lappy
|
||||||
|
|
||||||
|
# found on desko host
|
||||||
|
# from services.usbmuxd
|
||||||
|
sane.ids.usbmux.uid = 2204;
|
||||||
|
sane.ids.usbmux.gid = 2204;
|
||||||
|
|
||||||
|
|
||||||
|
# originally found on moby host
|
||||||
|
# gnome core-shell
|
||||||
|
sane.ids.avahi.uid = 2304;
|
||||||
|
sane.ids.avahi.gid = 2304;
|
||||||
|
sane.ids.colord.uid = 2305;
|
||||||
|
sane.ids.colord.gid = 2305;
|
||||||
|
sane.ids.geoclue.uid = 2306;
|
||||||
|
sane.ids.geoclue.gid = 2306;
|
||||||
|
# gnome core-os-services
|
||||||
|
sane.ids.rtkit.uid = 2307;
|
||||||
|
sane.ids.rtkit.gid = 2307;
|
||||||
|
# phosh
|
||||||
|
sane.ids.feedbackd.gid = 2308;
|
||||||
|
}
|
|
@ -5,9 +5,6 @@ with lib;
|
||||||
let
|
let
|
||||||
cfg = config.sane.users;
|
cfg = config.sane.users;
|
||||||
fs = sane-lib.fs;
|
fs = sane-lib.fs;
|
||||||
# see nixpkgs/nixos/modules/services/networking/dhcpcd.nix
|
|
||||||
hasDHCP = config.networking.dhcpcd.enable &&
|
|
||||||
(config.networking.useDHCP || any (i: i.useDHCP == true) (attrValues config.networking.interfaces));
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options = {
|
options = {
|
||||||
|
@ -29,7 +26,6 @@ in
|
||||||
home = "/home/colin";
|
home = "/home/colin";
|
||||||
createHome = true;
|
createHome = true;
|
||||||
homeMode = "0700";
|
homeMode = "0700";
|
||||||
uid = config.sane.allocations.colin-uid;
|
|
||||||
# i don't get exactly what this is, but nixos defaults to this non-deterministically
|
# i don't get exactly what this is, but nixos defaults to this non-deterministically
|
||||||
# in /var/lib/nixos/auto-subuid-map and i don't want that.
|
# in /var/lib/nixos/auto-subuid-map and i don't want that.
|
||||||
subUidRanges = [
|
subUidRanges = [
|
||||||
|
@ -111,7 +107,6 @@ in
|
||||||
users.users.guest = mkIf cfg.guest.enable {
|
users.users.guest = mkIf cfg.guest.enable {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
home = "/home/guest";
|
home = "/home/guest";
|
||||||
uid = config.sane.allocations.guest-uid;
|
|
||||||
subUidRanges = [
|
subUidRanges = [
|
||||||
{ startUid=200000; count=1; }
|
{ startUid=200000; count=1; }
|
||||||
];
|
];
|
||||||
|
@ -123,13 +118,6 @@ in
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.dhcpcd = mkIf hasDHCP {
|
|
||||||
uid = config.sane.allocations.dhcpcd-uid;
|
|
||||||
};
|
|
||||||
users.groups.dhcpcd = mkIf hasDHCP {
|
|
||||||
gid = config.sane.allocations.dhcpcd-gid;
|
|
||||||
};
|
|
||||||
|
|
||||||
security.sudo = {
|
security.sudo = {
|
||||||
enable = true;
|
enable = true;
|
||||||
wheelNeedsPassword = false;
|
wheelNeedsPassword = false;
|
||||||
|
@ -140,31 +128,5 @@ in
|
||||||
permitRootLogin = "no";
|
permitRootLogin = "no";
|
||||||
passwordAuthentication = false;
|
passwordAuthentication = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
# affix some UIDs which were historically auto-generated
|
|
||||||
users.users.sshd.uid = config.sane.allocations.sshd-uid;
|
|
||||||
users.groups.polkituser.gid = config.sane.allocations.polkituser-gid;
|
|
||||||
users.groups.sshd.gid = config.sane.allocations.sshd-gid;
|
|
||||||
users.groups.systemd-coredump.gid = config.sane.allocations.systemd-coredump-gid;
|
|
||||||
users.users.nscd.uid = config.sane.allocations.nscd-uid;
|
|
||||||
users.groups.nscd.gid = config.sane.allocations.nscd-gid;
|
|
||||||
users.users.systemd-oom.uid = config.sane.allocations.systemd-oom-uid;
|
|
||||||
users.groups.systemd-oom.gid = config.sane.allocations.systemd-oom-gid;
|
|
||||||
|
|
||||||
# guarantee determinism in uid/gid generation for users:
|
|
||||||
assertions = let
|
|
||||||
uidAssertions = builtins.attrValues (builtins.mapAttrs (name: user: {
|
|
||||||
assertion = user.uid != null;
|
|
||||||
message = "non-deterministic uid detected for: ${name}";
|
|
||||||
}) config.users.users);
|
|
||||||
gidAssertions = builtins.attrValues (builtins.mapAttrs (name: group: {
|
|
||||||
assertion = group.gid != null;
|
|
||||||
message = "non-deterministic gid detected for: ${name}";
|
|
||||||
}) config.users.groups);
|
|
||||||
autoSubAssertions = builtins.attrValues (builtins.mapAttrs (name: user: {
|
|
||||||
assertion = !user.autoSubUidGidRange;
|
|
||||||
message = "non-deterministic subUids/Guids detected for: ${name}";
|
|
||||||
}) config.users.users);
|
|
||||||
in uidAssertions ++ gidAssertions ++ autoSubAssertions;
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -17,8 +17,6 @@
|
||||||
|
|
||||||
# needed to use libimobiledevice/ifuse, for iphone sync
|
# needed to use libimobiledevice/ifuse, for iphone sync
|
||||||
services.usbmuxd.enable = true;
|
services.usbmuxd.enable = true;
|
||||||
users.users.usbmux.uid = config.sane.allocations.usbmux-uid;
|
|
||||||
users.groups.usbmux.gid = config.sane.allocations.usbmux-gid;
|
|
||||||
|
|
||||||
sops.secrets.colin-passwd = {
|
sops.secrets.colin-passwd = {
|
||||||
sopsFile = ../../secrets/desko.yaml;
|
sopsFile = ../../secrets/desko.yaml;
|
||||||
|
|
|
@ -8,9 +8,6 @@
|
||||||
boot.loader.efi.canTouchEfiVariables = false;
|
boot.loader.efi.canTouchEfiVariables = false;
|
||||||
sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
|
sane.image.extraBootFiles = [ pkgs.bootpart-uefi-x86_64 ];
|
||||||
|
|
||||||
users.users.dhcpcd.uid = config.sane.allocations.dhcpcd-uid;
|
|
||||||
users.groups.dhcpcd.gid = config.sane.allocations.dhcpcd-gid;
|
|
||||||
|
|
||||||
# docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
|
# docs: https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion
|
||||||
system.stateVersion = "21.05";
|
system.stateVersion = "21.05";
|
||||||
}
|
}
|
||||||
|
|
|
@ -20,8 +20,6 @@
|
||||||
{ user = "freshrss"; group = "freshrss"; directory = "/var/lib/freshrss"; }
|
{ user = "freshrss"; group = "freshrss"; directory = "/var/lib/freshrss"; }
|
||||||
];
|
];
|
||||||
|
|
||||||
users.users.freshrss.uid = config.sane.allocations.freshrss-uid;
|
|
||||||
users.groups.freshrss.gid = config.sane.allocations.freshrss-gid;
|
|
||||||
services.freshrss.enable = true;
|
services.freshrss.enable = true;
|
||||||
services.freshrss.baseUrl = "https://rss.uninsane.org";
|
services.freshrss.baseUrl = "https://rss.uninsane.org";
|
||||||
services.freshrss.virtualHost = "rss.uninsane.org";
|
services.freshrss.virtualHost = "rss.uninsane.org";
|
||||||
|
|
|
@ -5,7 +5,6 @@
|
||||||
# TODO: mode? could be more granular
|
# TODO: mode? could be more granular
|
||||||
{ user = "git"; group = "gitea"; directory = "/var/lib/gitea"; }
|
{ user = "git"; group = "gitea"; directory = "/var/lib/gitea"; }
|
||||||
];
|
];
|
||||||
users.groups.gitea.gid = config.sane.allocations.gitea-gid;
|
|
||||||
services.gitea.enable = true;
|
services.gitea.enable = true;
|
||||||
services.gitea.user = "git"; # default is 'gitea'
|
services.gitea.user = "git"; # default is 'gitea'
|
||||||
services.gitea.database.type = "postgres";
|
services.gitea.database.type = "postgres";
|
||||||
|
|
|
@ -63,7 +63,5 @@ lib.mkIf false
|
||||||
|
|
||||||
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."jelly" = "native";
|
sane.services.trust-dns.zones."uninsane.org".inet.CNAME."jelly" = "native";
|
||||||
|
|
||||||
# users.users.jellyfin.uid = config.sane.allocations.jellyfin-uid;
|
|
||||||
# users.groups.jellyfin.gid = config.sane.allocations.jellyfin-gid;
|
|
||||||
services.jellyfin.enable = true;
|
services.jellyfin.enable = true;
|
||||||
}
|
}
|
||||||
|
|
|
@ -120,8 +120,6 @@ in
|
||||||
security.acme.acceptTerms = true;
|
security.acme.acceptTerms = true;
|
||||||
security.acme.defaults.email = "admin.acme@uninsane.org";
|
security.acme.defaults.email = "admin.acme@uninsane.org";
|
||||||
|
|
||||||
users.users.acme.uid = config.sane.allocations.acme-uid;
|
|
||||||
users.groups.acme.gid = config.sane.allocations.acme-gid;
|
|
||||||
sane.persist.sys.plaintext = [
|
sane.persist.sys.plaintext = [
|
||||||
# TODO: mode?
|
# TODO: mode?
|
||||||
{ user = "acme"; group = "acme"; directory = "/var/lib/acme"; }
|
{ user = "acme"; group = "acme"; directory = "/var/lib/acme"; }
|
||||||
|
|
|
@ -10,8 +10,6 @@
|
||||||
# TODO: mode? could be more granular
|
# TODO: mode? could be more granular
|
||||||
{ user = "pleroma"; group = "pleroma"; directory = "/var/lib/pleroma"; }
|
{ user = "pleroma"; group = "pleroma"; directory = "/var/lib/pleroma"; }
|
||||||
];
|
];
|
||||||
users.users.pleroma.uid = config.sane.allocations.pleroma-uid;
|
|
||||||
users.groups.pleroma.gid = config.sane.allocations.pleroma-gid;
|
|
||||||
services.pleroma.enable = true;
|
services.pleroma.enable = true;
|
||||||
services.pleroma.secretConfigFile = config.sops.secrets.pleroma_secrets.path;
|
services.pleroma.secretConfigFile = config.sops.secrets.pleroma_secrets.path;
|
||||||
services.pleroma.configs = [
|
services.pleroma.configs = [
|
||||||
|
|
|
@ -11,8 +11,6 @@ lib.mkIf false
|
||||||
sopsFile = ../../../secrets/servo.yaml;
|
sopsFile = ../../../secrets/servo.yaml;
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.mediawiki.uid = config.sane.allocations.mediawiki-uid;
|
|
||||||
|
|
||||||
services.mediawiki.enable = true;
|
services.mediawiki.enable = true;
|
||||||
services.mediawiki.name = "Uninsane Wiki";
|
services.mediawiki.name = "Uninsane Wiki";
|
||||||
services.mediawiki.passwordFile = config.sops.secrets.mediawiki_pw.path;
|
services.mediawiki.passwordFile = config.sops.secrets.mediawiki_pw.path;
|
||||||
|
|
|
@ -12,7 +12,6 @@
|
||||||
home = "/var/lib/gitea";
|
home = "/var/lib/gitea";
|
||||||
useDefaultShell = true;
|
useDefaultShell = true;
|
||||||
group = "gitea";
|
group = "gitea";
|
||||||
uid = config.sane.allocations.git-uid;
|
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
# sendmail access (not 100% sure if this is necessary)
|
# sendmail access (not 100% sure if this is necessary)
|
||||||
extraGroups = [ "postdrop" ];
|
extraGroups = [ "postdrop" ];
|
||||||
|
|
|
@ -1,63 +0,0 @@
|
||||||
{ lib, ... }:
|
|
||||||
|
|
||||||
with lib;
|
|
||||||
let
|
|
||||||
mkId = id: mkOption {
|
|
||||||
default = id;
|
|
||||||
type = types.int;
|
|
||||||
};
|
|
||||||
in
|
|
||||||
{
|
|
||||||
options = {
|
|
||||||
# legacy servo users, some are inconvenient to migrate
|
|
||||||
sane.allocations.dhcpcd-gid = mkId 991;
|
|
||||||
sane.allocations.dhcpcd-uid = mkId 992;
|
|
||||||
sane.allocations.gitea-gid = mkId 993;
|
|
||||||
sane.allocations.git-uid = mkId 994;
|
|
||||||
sane.allocations.jellyfin-gid = mkId 994;
|
|
||||||
sane.allocations.pleroma-gid = mkId 995;
|
|
||||||
sane.allocations.jellyfin-uid = mkId 996;
|
|
||||||
sane.allocations.acme-gid = mkId 996;
|
|
||||||
sane.allocations.pleroma-uid = mkId 997;
|
|
||||||
sane.allocations.acme-uid = mkId 998;
|
|
||||||
sane.allocations.greeter-uid = mkId 999;
|
|
||||||
sane.allocations.greeter-gid = mkId 999;
|
|
||||||
|
|
||||||
# new servo users
|
|
||||||
sane.allocations.freshrss-uid = mkId 2401;
|
|
||||||
sane.allocations.freshrss-gid = mkId 2401;
|
|
||||||
sane.allocations.mediawiki-uid = mkId 2402;
|
|
||||||
|
|
||||||
sane.allocations.colin-uid = mkId 1000;
|
|
||||||
sane.allocations.guest-uid = mkId 1100;
|
|
||||||
|
|
||||||
# found on all hosts
|
|
||||||
sane.allocations.sshd-uid = mkId 2001; # 997
|
|
||||||
sane.allocations.sshd-gid = mkId 2001; # 997
|
|
||||||
sane.allocations.polkituser-gid = mkId 2002; # 998
|
|
||||||
sane.allocations.systemd-coredump-gid = mkId 2003; # 996
|
|
||||||
sane.allocations.nscd-uid = mkId 2004;
|
|
||||||
sane.allocations.nscd-gid = mkId 2004;
|
|
||||||
sane.allocations.systemd-oom-uid = mkId 2005;
|
|
||||||
sane.allocations.systemd-oom-gid = mkId 2005;
|
|
||||||
|
|
||||||
# found on graphical hosts
|
|
||||||
sane.allocations.nm-iodine-uid = mkId 2101; # desko/moby/lappy
|
|
||||||
|
|
||||||
# found on desko host
|
|
||||||
sane.allocations.usbmux-uid = mkId 2204;
|
|
||||||
sane.allocations.usbmux-gid = mkId 2204;
|
|
||||||
|
|
||||||
|
|
||||||
# originally found on moby host
|
|
||||||
sane.allocations.avahi-uid = mkId 2304;
|
|
||||||
sane.allocations.avahi-gid = mkId 2304;
|
|
||||||
sane.allocations.colord-uid = mkId 2305;
|
|
||||||
sane.allocations.colord-gid = mkId 2305;
|
|
||||||
sane.allocations.geoclue-uid = mkId 2306;
|
|
||||||
sane.allocations.geoclue-gid = mkId 2306;
|
|
||||||
sane.allocations.rtkit-uid = mkId 2307;
|
|
||||||
sane.allocations.rtkit-gid = mkId 2307;
|
|
||||||
sane.allocations.feedbackd-gid = mkId 2308;
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -2,11 +2,11 @@
|
||||||
|
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./allocations.nix
|
|
||||||
./feeds.nix
|
./feeds.nix
|
||||||
./fs
|
./fs
|
||||||
./gui
|
./gui
|
||||||
./home-manager
|
./home-manager
|
||||||
|
./ids.nix
|
||||||
./packages.nix
|
./packages.nix
|
||||||
./image.nix
|
./image.nix
|
||||||
./nixcache.nix
|
./nixcache.nix
|
||||||
|
|
|
@ -23,8 +23,6 @@ in
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
sane.packages.enableGuiPkgs = lib.mkDefault true;
|
sane.packages.enableGuiPkgs = lib.mkDefault true;
|
||||||
# all GUIs use network manager?
|
|
||||||
users.users.nm-iodine.uid = config.sane.allocations.nm-iodine-uid;
|
|
||||||
|
|
||||||
# preserve backlight brightness across power cycles
|
# preserve backlight brightness across power cycles
|
||||||
# see `man systemd-backlight`
|
# see `man systemd-backlight`
|
||||||
|
|
|
@ -15,15 +15,6 @@ in
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
sane.gui.enable = true;
|
sane.gui.enable = true;
|
||||||
|
|
||||||
users.users.avahi.uid = config.sane.allocations.avahi-uid;
|
|
||||||
users.groups.avahi.gid = config.sane.allocations.avahi-gid;
|
|
||||||
users.users.colord.uid = config.sane.allocations.colord-uid;
|
|
||||||
users.groups.colord.gid = config.sane.allocations.colord-gid;
|
|
||||||
users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
|
|
||||||
users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
|
|
||||||
users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
|
|
||||||
users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
|
|
||||||
|
|
||||||
# start gnome/gdm on boot
|
# start gnome/gdm on boot
|
||||||
services.xserver.enable = true;
|
services.xserver.enable = true;
|
||||||
services.xserver.desktopManager.gnome.enable = true;
|
services.xserver.desktopManager.gnome.enable = true;
|
||||||
|
|
|
@ -24,21 +24,6 @@ in
|
||||||
{
|
{
|
||||||
sane.gui.enable = true;
|
sane.gui.enable = true;
|
||||||
|
|
||||||
# gnome core-os-services
|
|
||||||
users.users.rtkit.uid = config.sane.allocations.rtkit-uid;
|
|
||||||
users.groups.rtkit.gid = config.sane.allocations.rtkit-gid;
|
|
||||||
|
|
||||||
# gnome core-shell
|
|
||||||
users.users.avahi.uid = config.sane.allocations.avahi-uid;
|
|
||||||
users.users.colord.uid = config.sane.allocations.colord-uid;
|
|
||||||
users.users.geoclue.uid = config.sane.allocations.geoclue-uid;
|
|
||||||
users.groups.avahi.gid = config.sane.allocations.avahi-gid;
|
|
||||||
users.groups.colord.gid = config.sane.allocations.colord-gid;
|
|
||||||
users.groups.geoclue.gid = config.sane.allocations.geoclue-gid;
|
|
||||||
|
|
||||||
# phosh
|
|
||||||
users.groups.feedbackd.gid = config.sane.allocations.feedbackd-gid;
|
|
||||||
|
|
||||||
# docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
|
# docs: https://github.com/NixOS/nixpkgs/blob/nixos-22.05/nixos/modules/services/x11/desktop-managers/phosh.nix
|
||||||
services.xserver.desktopManager.phosh = {
|
services.xserver.desktopManager.phosh = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
|
@ -23,10 +23,6 @@ in
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
sane.gui.enable = true;
|
sane.gui.enable = true;
|
||||||
|
|
||||||
# greetd
|
|
||||||
users.users.greeter.uid = config.sane.allocations.greeter-uid;
|
|
||||||
users.groups.greeter.gid = config.sane.allocations.greeter-gid;
|
|
||||||
|
|
||||||
programs.sway = {
|
programs.sway = {
|
||||||
# we configure sway with home-manager, but this enable gets us e.g. opengl and fonts
|
# we configure sway with home-manager, but this enable gets us e.g. opengl and fonts
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
72
modules/ids.nix
Normal file
72
modules/ids.nix
Normal file
|
@ -0,0 +1,72 @@
|
||||||
|
{ lib, config, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
cfg = config.sane.ids;
|
||||||
|
id = types.submodule {
|
||||||
|
options = {
|
||||||
|
uid = mkOption {
|
||||||
|
type = types.nullOr types.int;
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
|
gid = mkOption {
|
||||||
|
type = types.nullOr types.int;
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
userOpts = { name, ... }: {
|
||||||
|
config =
|
||||||
|
let
|
||||||
|
ent-ids = cfg."${name}" or {};
|
||||||
|
uid = ent-ids.uid or null;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
uid = lib.mkIf (uid != null) uid;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
groupOpts = { name, ... }: {
|
||||||
|
config =
|
||||||
|
let
|
||||||
|
ent-ids = cfg."${name}" or {};
|
||||||
|
gid = ent-ids.gid or null;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
gid = lib.mkIf (gid != null) gid;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
sane.ids = mkOption {
|
||||||
|
type = types.attrsOf id;
|
||||||
|
default = {};
|
||||||
|
};
|
||||||
|
users.users = mkOption {
|
||||||
|
type = types.attrsOf (types.submodule userOpts);
|
||||||
|
};
|
||||||
|
users.groups = mkOption {
|
||||||
|
type = types.attrsOf (types.submodule groupOpts);
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
# guarantee determinism in uid/gid generation for users:
|
||||||
|
assertions = let
|
||||||
|
uidAssertions = builtins.attrValues (builtins.mapAttrs (name: user: {
|
||||||
|
assertion = user.uid != null;
|
||||||
|
message = "non-deterministic uid detected for: ${name}";
|
||||||
|
}) config.users.users);
|
||||||
|
gidAssertions = builtins.attrValues (builtins.mapAttrs (name: group: {
|
||||||
|
assertion = group.gid != null;
|
||||||
|
message = "non-deterministic gid detected for: ${name}";
|
||||||
|
}) config.users.groups);
|
||||||
|
autoSubAssertions = builtins.attrValues (builtins.mapAttrs (name: user: {
|
||||||
|
assertion = !user.autoSubUidGidRange;
|
||||||
|
message = "non-deterministic subUids/Guids detected for: ${name}";
|
||||||
|
}) config.users.users);
|
||||||
|
in uidAssertions ++ gidAssertions ++ autoSubAssertions;
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user