From 0f15a8f489b04a7d0086edf27920ba15fa1de0d3 Mon Sep 17 00:00:00 2001
From: Guillaume Girol <symphorien+git@xlumurb.eu>
Date: Sun, 8 Aug 2021 12:00:00 +0000
Subject: [PATCH] nixos/users-groups: don't default users.users.<name>.group to
 nogroup

this is unsafe, as many distinct services may be running as the same
nogroup group.
---
 nixos/modules/config/users-groups.nix | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix
index f86be3be2c65..332b59894abc 100644
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@@ -123,7 +123,7 @@ let
       group = mkOption {
         type = types.str;
         apply = x: assert (builtins.stringLength x < 32 || abort "Group name '${x}' is longer than 31 characters which is not allowed!"); x;
-        default = "nogroup";
+        default = "";
         description = "The user's primary group.";
       };
 
@@ -638,6 +638,16 @@ in {
               Exactly one of users.users.${user.name}.isSystemUser and users.users.${user.name}.isNormalUser must be set.
             '';
           }
+          {
+            assertion = user.group != "";
+            message = ''
+              users.users.${user.name}.group is unset. This used to default to
+              nogroup, but this is unsafe. For example you can create a group
+              for this user with:
+              users.users.${user.name}.group = "${user.name}";
+              users.groups.${user.name} = {};
+            '';
+          }
         ]
     ));