nixos/users-groups: don't consider a system with Google OS Login inaccessible

This allows disabling users.mutableUsers without configuring any
authentication mechanisms (passwords, authorized SSH keys) other than
Google OS Login.
This commit is contained in:
edef 2020-07-19 00:24:00 +00:00
parent 903a0cac04
commit 2e4fb5cf4c

View File

@ -581,7 +581,7 @@ in {
# password or an SSH authorized key. Privileged accounts are
# root and users in the wheel group.
assertion = !cfg.mutableUsers ->
any id (mapAttrsToList (name: cfg:
any id ((mapAttrsToList (name: cfg:
(name == "root"
|| cfg.group == "wheel"
|| elem "wheel" cfg.extraGroups)
@ -591,7 +591,9 @@ in {
|| cfg.passwordFile != null
|| cfg.openssh.authorizedKeys.keys != []
|| cfg.openssh.authorizedKeys.keyFiles != [])
) cfg.users);
) cfg.users) ++ [
config.security.googleOsLogin.enable
]);
message = ''
Neither the root account nor any wheel user has a password or SSH authorized key.
You must set one to prevent being locked out of your system.'';