colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #133166 from symphorien/nonogroup

Browse Source 
Don't default to nogroup for the primary group of users.
This commit is contained in:
Guillaume Girol 2021-09-13 18:29:21 +00:00 committed by GitHub
commit 3592034595
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
49 changed files with 207 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
View File

@ -367,6 +367,33 @@ Superuser created successfully.
notes</link>). notes</link>).
</para> </para>
</listitem> </listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-users.users._name_.group">users.users.&lt;name&gt;.group</link>
no longer defaults to <literal>nogroup</literal>, which was
insecure. Out-of-tree modules are likely to require
adaptation: instead of
</para>
<programlisting language="bash">
{
users.users.foo = {
isSystemUser = true;
};
}
</programlisting>
<para>
also create a group for your user:
</para>
<programlisting language="bash">
{
users.users.foo = {
isSystemUser = true;
group = &quot;foo&quot;;
};
users.groups.foo = {};
}
</programlisting>
</listitem>
<listitem> <listitem>
<para> <para>
<literal>services.geoip-updater</literal> was broken and has <literal>services.geoip-updater</literal> was broken and has

19
nixos/doc/manual/release-notes/rl-2111.section.md
View File

@ -136,6 +136,25 @@ subsonic-compatible api. Available as [navidrome](#opt-services.navidrome.enable
- The `erigon` ethereum node has moved it's database location in `2021-08-03`, users upgrading must manually move their chaindata (see [release notes](https://github.com/ledgerwatch/erigon/releases/tag/v2021.08.03)). - The `erigon` ethereum node has moved it's database location in `2021-08-03`, users upgrading must manually move their chaindata (see [release notes](https://github.com/ledgerwatch/erigon/releases/tag/v2021.08.03)).
- [users.users.&lt;name&gt;.group](options.html#opt-users.users._name_.group) no longer defaults to `nogroup`, which was insecure. Out-of-tree modules are likely to require adaptation: instead of
```nix
{
users.users.foo = {
isSystemUser = true;
};
}
```
also create a group for your user:
```nix
{
users.users.foo = {
isSystemUser = true;
group = "foo";
};
users.groups.foo = {};
}
```
- `services.geoip-updater` was broken and has been replaced by [services.geoipupdate](options.html#opt-services.geoipupdate.enable). - `services.geoip-updater` was broken and has been replaced by [services.geoipupdate](options.html#opt-services.geoipupdate.enable).
- PHP 7.3 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 21.11 release. - PHP 7.3 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 21.11 release.

12
nixos/modules/config/users-groups.nix
View File

@ -123,7 +123,7 @@ let
group = mkOption { group = mkOption {
type = types.str; type = types.str;
apply = x: assert (builtins.stringLength x < 32 || abort "Group name '${x}' is longer than 31 characters which is not allowed!"); x; apply = x: assert (builtins.stringLength x < 32 || abort "Group name '${x}' is longer than 31 characters which is not allowed!"); x;
default = "nogroup"; default = "";
description = "The user's primary group."; description = "The user's primary group.";
}; };
@ -640,6 +640,16 @@ in {
Exactly one of users.users.${user.name}.isSystemUser and users.users.${user.name}.isNormalUser must be set. Exactly one of users.users.${user.name}.isSystemUser and users.users.${user.name}.isNormalUser must be set.
''; '';
} }
{
assertion = user.group != "";
message = ''
users.users.${user.name}.group is unset. This used to default to
nogroup, but this is unsafe. For example you can create a group
for this user with:
users.users.${user.name}.group = "${user.name}";
users.groups.${user.name} = {};
'';
}
] ]
)); ));

42
nixos/modules/misc/ids.nix
View File

@ -83,14 +83,14 @@ in
#fourstore = 42; # dropped in 20.03 #fourstore = 42; # dropped in 20.03
#fourstorehttp = 43; # dropped in 20.03 #fourstorehttp = 43; # dropped in 20.03
virtuoso = 44; virtuoso = 44;
rtkit = 45; #rtkit = 45; # dynamically allocated 2021-09-03
dovecot2 = 46; dovecot2 = 46;
dovenull2 = 47; dovenull2 = 47;
prayer = 49; prayer = 49;
mpd = 50; mpd = 50;
clamav = 51; clamav = 51;
fprot = 52; fprot = 52;
bind = 53; # bind = 53; #dynamically allocated as of 2021-09-03
wwwrun = 54; wwwrun = 54;
#adm = 55; # unused #adm = 55; # unused
spamd = 56; spamd = 56;
@ -134,13 +134,13 @@ in
firebird = 95; firebird = 95;
#keys = 96; # unused #keys = 96; # unused
#haproxy = 97; # dynamically allocated as of 2020-03-11 #haproxy = 97; # dynamically allocated as of 2020-03-11
mongodb = 98; #mongodb = 98; #dynamically allocated as of 2021-09-03
#openldap = 99; # dynamically allocated as of PR#94610 #openldap = 99; # dynamically allocated as of PR#94610
#users = 100; # unused #users = 100; # unused
cgminer = 101; cgminer = 101;
munin = 102; munin = 102;
logcheck = 103; logcheck = 103;
nix-ssh = 104; #nix-ssh = 104; #dynamically allocated as of 2021-09-03
dictd = 105; dictd = 105;
couchdb = 106; couchdb = 106;
#searx = 107; # dynamically allocated as of 2020-10-27 #searx = 107; # dynamically allocated as of 2020-10-27
@ -149,9 +149,9 @@ in
systemd-journal-gateway = 110; systemd-journal-gateway = 110;
#notbit = 111; # unused #notbit = 111; # unused
aerospike = 111; aerospike = 111;
ngircd = 112; #ngircd = 112; #dynamically allocated as of 2021-09-03
#btsync = 113; # unused #btsync = 113; # unused
minecraft = 114; #minecraft = 114; #dynamically allocated as of 2021-09-03
vault = 115; vault = 115;
rippled = 116; rippled = 116;
murmur = 117; murmur = 117;
@ -169,19 +169,19 @@ in
mopidy = 130; mopidy = 130;
#docker = 131; # unused #docker = 131; # unused
gdm = 132; gdm = 132;
dhcpd = 133; #dhcpd = 133; # dynamically allocated as of 2021-09-03
siproxd = 134; siproxd = 134;
mlmmj = 135; mlmmj = 135;
neo4j = 136; #neo4j = 136;# dynamically allocated as of 2021-09-03
riemann = 137; riemann = 137;
riemanndash = 138; riemanndash = 138;
radvd = 139; #radvd = 139;# dynamically allocated as of 2021-09-03
zookeeper = 140; #zookeeper = 140;# dynamically allocated as of 2021-09-03
dnsmasq = 141; #dnsmasq = 141;# dynamically allocated as of 2021-09-03
#uhub = 142; # unused #uhub = 142; # unused
yandexdisk = 143; yandexdisk = 143;
mxisd = 144; # was once collectd mxisd = 144; # was once collectd
consul = 145; #consul = 145;# dynamically allocated as of 2021-09-03
mailpile = 146; mailpile = 146;
redmine = 147; redmine = 147;
#seeks = 148; # removed 2020-06-21 #seeks = 148; # removed 2020-06-21
@ -192,7 +192,7 @@ in
systemd-resolve = 153; systemd-resolve = 153;
systemd-timesync = 154; systemd-timesync = 154;
liquidsoap = 155; liquidsoap = 155;
etcd = 156; #etcd = 156;# dynamically allocated as of 2021-09-03
hbase = 158; hbase = 158;
opentsdb = 159; opentsdb = 159;
scollector = 160; scollector = 160;
@ -204,7 +204,7 @@ in
tox-bootstrapd = 166; tox-bootstrapd = 166;
cadvisor = 167; cadvisor = 167;
nylon = 168; nylon = 168;
apache-kafka = 169; #apache-kafka = 169;# dynamically allocated as of 2021-09-03
#panamax = 170; # unused #panamax = 170; # unused
exim = 172; exim = 172;
#fleet = 173; # unused #fleet = 173; # unused
@ -241,7 +241,7 @@ in
gateone = 207; gateone = 207;
namecoin = 208; namecoin = 208;
#lxd = 210; # unused #lxd = 210; # unused
kibana = 211; #kibana = 211;# dynamically allocated as of 2021-09-03
xtreemfs = 212; xtreemfs = 212;
calibre-server = 213; calibre-server = 213;
heapster = 214; heapster = 214;
@ -264,7 +264,7 @@ in
avahi-autoipd = 231; avahi-autoipd = 231;
nntp-proxy = 232; nntp-proxy = 232;
mjpg-streamer = 233; mjpg-streamer = 233;
radicale = 234; #radicale = 234;# dynamically allocated as of 2021-09-03
hydra-queue-runner = 235; hydra-queue-runner = 235;
hydra-www = 236; hydra-www = 236;
syncthing = 237; syncthing = 237;
@ -272,14 +272,14 @@ in
taskd = 240; taskd = 240;
# factorio = 241; # DynamicUser = true # factorio = 241; # DynamicUser = true
# emby = 242; # unusued, removed 2019-05-01 # emby = 242; # unusued, removed 2019-05-01
graylog = 243; #graylog = 243;# dynamically allocated as of 2021-09-03
sniproxy = 244; sniproxy = 244;
nzbget = 245; nzbget = 245;
mosquitto = 246; mosquitto = 246;
toxvpn = 247; toxvpn = 247;
# squeezelite = 248; # DynamicUser = true # squeezelite = 248; # DynamicUser = true
turnserver = 249; turnserver = 249;
smokeping = 250; #smokeping = 250;# dynamically allocated as of 2021-09-03
gocd-agent = 251; gocd-agent = 251;
gocd-server = 252; gocd-server = 252;
terraria = 253; terraria = 253;
@ -554,7 +554,7 @@ in
#shout = 206; #unused #shout = 206; #unused
gateone = 207; gateone = 207;
namecoin = 208; namecoin = 208;
lxd = 210; # unused #lxd = 210; # unused
#kibana = 211; #kibana = 211;
xtreemfs = 212; xtreemfs = 212;
calibre-server = 213; calibre-server = 213;
@ -573,7 +573,7 @@ in
cfdyndns = 227; cfdyndns = 227;
pdnsd = 229; pdnsd = 229;
octoprint = 230; octoprint = 230;
radicale = 234; #radicale = 234;# dynamically allocated as of 2021-09-03
syncthing = 237; syncthing = 237;
caddy = 239; caddy = 239;
taskd = 240; taskd = 240;
@ -585,7 +585,7 @@ in
#toxvpn = 247; # unused #toxvpn = 247; # unused
#squeezelite = 248; #unused #squeezelite = 248; #unused
turnserver = 249; turnserver = 249;
smokeping = 250; #smokeping = 250;# dynamically allocated as of 2021-09-03
gocd-agent = 251; gocd-agent = 251;
gocd-server = 252; gocd-server = 252;
terraria = 253; terraria = 253;

5
nixos/modules/security/rtkit.nix
View File

@ -35,9 +35,12 @@ with lib;
services.dbus.packages = [ pkgs.rtkit ]; services.dbus.packages = [ pkgs.rtkit ];
users.users.rtkit = users.users.rtkit =
{ uid = config.ids.uids.rtkit; {
isSystemUser = true;
group = "rtkit";
description = "RealtimeKit daemon"; description = "RealtimeKit daemon";
}; };
users.groups.rtkit = {};
}; };

1
nixos/modules/services/backup/borgbackup.nix
View File

@ -169,6 +169,7 @@ let
(map (mkAuthorizedKey cfg false) cfg.authorizedKeys (map (mkAuthorizedKey cfg false) cfg.authorizedKeys
++ map (mkAuthorizedKey cfg true) cfg.authorizedKeysAppendOnly); ++ map (mkAuthorizedKey cfg true) cfg.authorizedKeysAppendOnly);
useDefaultShell = true; useDefaultShell = true;
group = cfg.group;
isSystemUser = true; isSystemUser = true;
}; };
groups.${cfg.group} = { }; groups.${cfg.group} = { };

1
nixos/modules/services/databases/influxdb.nix
View File

@ -185,6 +185,7 @@ in
users.users = optionalAttrs (cfg.user == "influxdb") { users.users = optionalAttrs (cfg.user == "influxdb") {
influxdb = { influxdb = {
uid = config.ids.uids.influxdb; uid = config.ids.uids.influxdb;
group = "influxdb";
description = "Influxdb daemon user"; description = "Influxdb daemon user";
}; };
}; };

2
nixos/modules/services/databases/memcached.nix
View File

@ -67,7 +67,9 @@ in
users.users = optionalAttrs (cfg.user == "memcached") { users.users = optionalAttrs (cfg.user == "memcached") {
memcached.description = "Memcached server user"; memcached.description = "Memcached server user";
memcached.isSystemUser = true; memcached.isSystemUser = true;
memcached.group = "memcached";
}; };
users.groups = optionalAttrs (cfg.user == "memcached") { memcached = {}; };
environment.systemPackages = [ memcached ]; environment.systemPackages = [ memcached ];

4
nixos/modules/services/databases/mongodb.nix
View File

@ -123,9 +123,11 @@ in
users.users.mongodb = mkIf (cfg.user == "mongodb") users.users.mongodb = mkIf (cfg.user == "mongodb")
{ name = "mongodb"; { name = "mongodb";
uid = config.ids.uids.mongodb; isSystemUser = true;
group = "mongodb";
description = "MongoDB server user"; description = "MongoDB server user";
}; };
users.groups.mongodb = mkIf (cfg.user == "mongodb") {};
environment.systemPackages = [ mongodb ]; environment.systemPackages = [ mongodb ];

4
nixos/modules/services/databases/neo4j.nix
View File

@ -651,10 +651,12 @@ in {
environment.systemPackages = [ cfg.package ]; environment.systemPackages = [ cfg.package ];
users.users.neo4j = { users.users.neo4j = {
uid = config.ids.uids.neo4j; isSystemUser = true;
group = "neo4j";
description = "Neo4j daemon user"; description = "Neo4j daemon user";
home = cfg.directories.home; home = cfg.directories.home;
}; };
users.groups.neo4j = {};
}; };
meta = { meta = {

1
nixos/modules/services/databases/redis.nix
View File

@ -246,6 +246,7 @@ in {
users.users.redis = { users.users.redis = {
description = "Redis database user"; description = "Redis database user";
group = "redis";
isSystemUser = true; isSystemUser = true;
}; };
users.groups.redis = {}; users.groups.redis = {};

4
nixos/modules/services/games/minecraft-server.nix
View File

@ -167,8 +167,10 @@ in {
description = "Minecraft server service user"; description = "Minecraft server service user";
home = cfg.dataDir; home = cfg.dataDir;
createHome = true; createHome = true;
uid = config.ids.uids.minecraft; isSystemUser = true;
group = "minecraft";
}; };
users.groups.minecraft = {};
systemd.services.minecraft-server = { systemd.services.minecraft-server = {
description = "Minecraft Server Service"; description = "Minecraft Server Service";

4
nixos/modules/services/logging/graylog.nix
View File

@ -128,10 +128,12 @@ in
users.users = mkIf (cfg.user == "graylog") { users.users = mkIf (cfg.user == "graylog") {
graylog = { graylog = {
uid = config.ids.uids.graylog; isSystemUser = true;
group = "graylog";
description = "Graylog server daemon user"; description = "Graylog server daemon user";
}; };
}; };
users.groups = mkIf (cfg.user == "graylog") {};
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '${cfg.messageJournalDir}' - ${cfg.user} - - -" "d '${cfg.messageJournalDir}' - ${cfg.user} - - -"

2
nixos/modules/services/misc/airsonic.nix
View File

@ -165,10 +165,12 @@ in {
users.users.airsonic = { users.users.airsonic = {
description = "Airsonic service user"; description = "Airsonic service user";
group = "airsonic";
name = cfg.user; name = cfg.user;
home = cfg.home; home = cfg.home;
createHome = true; createHome = true;
isSystemUser = true; isSystemUser = true;
}; };
users.groups.airsonic = {};
}; };
} }

4
nixos/modules/services/misc/apache-kafka.nix
View File

@ -120,10 +120,12 @@ in {
environment.systemPackages = [cfg.package]; environment.systemPackages = [cfg.package];
users.users.apache-kafka = { users.users.apache-kafka = {
uid = config.ids.uids.apache-kafka; isSystemUser = true;
group = "apache-kafka";
description = "Apache Kafka daemon user"; description = "Apache Kafka daemon user";
home = head cfg.logDirs; home = head cfg.logDirs;
}; };
users.groups.apache-kafka = {};
systemd.tmpfiles.rules = map (logDir: "d '${logDir}' 0700 apache-kafka - - -") cfg.logDirs; systemd.tmpfiles.rules = map (logDir: "d '${logDir}' 0700 apache-kafka - - -") cfg.logDirs;

2
nixos/modules/services/misc/docker-registry.nix
View File

@ -151,7 +151,9 @@ in {
home = cfg.storagePath; home = cfg.storagePath;
} }
else {}) // { else {}) // {
group = "docker-registry";
isSystemUser = true; isSystemUser = true;
}; };
users.groups.docker-registry = {};
}; };
} }

4
nixos/modules/services/misc/etcd.nix
View File

@ -187,9 +187,11 @@ in {
environment.systemPackages = [ pkgs.etcd ]; environment.systemPackages = [ pkgs.etcd ];
users.users.etcd = { users.users.etcd = {
uid = config.ids.uids.etcd; isSystemUser = true;
group = "etcd";
description = "Etcd daemon user"; description = "Etcd daemon user";
home = cfg.dataDir; home = cfg.dataDir;
}; };
users.groups.etcd = {};
}; };
} }

4
nixos/modules/services/misc/nix-ssh-serve.nix
View File

@ -44,9 +44,11 @@ in {
users.users.nix-ssh = { users.users.nix-ssh = {
description = "Nix SSH store user"; description = "Nix SSH store user";
uid = config.ids.uids.nix-ssh; isSystemUser = true;
group = "nix-ssh";
useDefaultShell = true; useDefaultShell = true;
}; };
users.groups.nix-ssh = {};
services.openssh.enable = true; services.openssh.enable = true;

4
nixos/modules/services/misc/zookeeper.nix
View File

@ -148,9 +148,11 @@ in {
}; };
users.users.zookeeper = { users.users.zookeeper = {
uid = config.ids.uids.zookeeper; isSystemUser = true;
group = "zookeeper";
description = "Zookeeper daemon user"; description = "Zookeeper daemon user";
home = cfg.dataDir; home = cfg.dataDir;
}; };
users.groups.zookeeper = {};
}; };
} }

1
nixos/modules/services/monitoring/graphite.nix
View File

@ -561,6 +561,7 @@ in {
) { ) {
users.users.graphite = { users.users.graphite = {
uid = config.ids.uids.graphite; uid = config.ids.uids.graphite;
group = "graphite";
description = "Graphite daemon user"; description = "Graphite daemon user";
home = dataDir; home = dataDir;
}; };

1
nixos/modules/services/monitoring/netdata.nix
View File

@ -258,6 +258,7 @@ in {
users.users = optionalAttrs (cfg.user == defaultUser) { users.users = optionalAttrs (cfg.user == defaultUser) {
${defaultUser} = { ${defaultUser} = {
group = defaultUser;
isSystemUser = true; isSystemUser = true;
}; };
}; };

1
nixos/modules/services/monitoring/tuptime.nix
View File

@ -36,6 +36,7 @@ in {
groups._tuptime.members = [ "_tuptime" ]; groups._tuptime.members = [ "_tuptime" ];
users._tuptime = { users._tuptime = {
isSystemUser = true; isSystemUser = true;
group = "_tuptime";
description = "tuptime database owner"; description = "tuptime database owner";
}; };
}; };

5
nixos/modules/services/network-filesystems/orangefs/server.nix
View File

@ -193,7 +193,10 @@ in {
environment.systemPackages = [ pkgs.orangefs ]; environment.systemPackages = [ pkgs.orangefs ];
# orangefs daemon will run as user # orangefs daemon will run as user
users.users.orangefs.isSystemUser = true; users.users.orangefs = {
isSystemUser = true;
group = "orangfs";
};
users.groups.orangefs = {}; users.groups.orangefs = {};
# To format the file system the config file is needed. # To format the file system the config file is needed.

4
nixos/modules/services/networking/bind.nix
View File

@ -229,9 +229,11 @@ in
users.users.${bindUser} = users.users.${bindUser} =
{ {
uid = config.ids.uids.bind; group = bindUser;
description = "BIND daemon user"; description = "BIND daemon user";
isSystemUser = true;
}; };
users.groups.${bindUser} = {};
systemd.services.bind = { systemd.services.bind = {
description = "BIND Domain Name Server"; description = "BIND Domain Name Server";

4
nixos/modules/services/networking/consul.nix
View File

@ -159,10 +159,12 @@ in
users.users.consul = { users.users.consul = {
description = "Consul agent daemon user"; description = "Consul agent daemon user";
uid = config.ids.uids.consul; isSystemUser = true;
group = "consul";
# The shell is needed for health checks # The shell is needed for health checks
shell = "/run/current-system/sw/bin/bash"; shell = "/run/current-system/sw/bin/bash";
}; };
users.groups.consul = {};
environment = { environment = {
etc."consul.json".text = builtins.toJSON configOptions; etc."consul.json".text = builtins.toJSON configOptions;

1
nixos/modules/services/networking/coturn.nix
View File

@ -311,6 +311,7 @@ in {
{ {
users.users.turnserver = users.users.turnserver =
{ uid = config.ids.uids.turnserver; { uid = config.ids.uids.turnserver;
group = "turnserver";
description = "coturn TURN server user"; description = "coturn TURN server user";
}; };
users.groups.turnserver = users.groups.turnserver =

4
nixos/modules/services/networking/dhcpd.nix
View File

@ -212,9 +212,11 @@ in
users = { users = {
users.dhcpd = { users.dhcpd = {
uid = config.ids.uids.dhcpd; isSystemUser = true;
group = "dhcpd";
description = "DHCP daemon user"; description = "DHCP daemon user";
}; };
groups.dhcpd = {};
}; };
systemd.services = dhcpdService "4" cfg4 // dhcpdService "6" cfg6; systemd.services = dhcpdService "4" cfg4 // dhcpdService "6" cfg6;

4
nixos/modules/services/networking/dnsmasq.nix
View File

@ -87,9 +87,11 @@ in
services.dbus.packages = [ dnsmasq ]; services.dbus.packages = [ dnsmasq ];
users.users.dnsmasq = { users.users.dnsmasq = {
uid = config.ids.uids.dnsmasq; isSystemUser = true;
group = "dnsmasq";
description = "Dnsmasq daemon user"; description = "Dnsmasq daemon user";
}; };
users.groups.dnsmasq = {};
networking.resolvconf = mkIf cfg.resolveLocalQueries { networking.resolvconf = mkIf cfg.resolveLocalQueries {
useLocalResolver = mkDefault true; useLocalResolver = mkDefault true;

1
nixos/modules/services/networking/git-daemon.nix
View File

@ -107,6 +107,7 @@ in
users.users = optionalAttrs (cfg.user == "git") { users.users = optionalAttrs (cfg.user == "git") {
git = { git = {
uid = config.ids.uids.git; uid = config.ids.uids.git;
group = "git";
description = "Git daemon user"; description = "Git daemon user";
}; };
}; };

1
nixos/modules/services/networking/iodine.nix
View File

@ -190,6 +190,7 @@ in
users.users.${iodinedUser} = { users.users.${iodinedUser} = {
uid = config.ids.uids.iodined; uid = config.ids.uids.iodined;
group = "iodined";
description = "Iodine daemon user"; description = "Iodine daemon user";
}; };
users.groups.iodined.gid = config.ids.gids.iodined; users.groups.iodined.gid = config.ids.gids.iodined;

2
nixos/modules/services/networking/morty.nix
View File

@ -77,7 +77,9 @@ in
createHome = true; createHome = true;
home = "/var/lib/morty"; home = "/var/lib/morty";
isSystemUser = true; isSystemUser = true;
group = "morty";
}; };
users.groups.morty = {};
systemd.services.morty = systemd.services.morty =
{ {

2
nixos/modules/services/networking/ncdns.nix
View File

@ -245,8 +245,10 @@ in
users.users.ncdns = { users.users.ncdns = {
isSystemUser = true; isSystemUser = true;
group = "ncdns";
description = "ncdns daemon user"; description = "ncdns daemon user";
}; };
users.groups.ncdns = {};
systemd.services.ncdns = { systemd.services.ncdns = {
description = "ncdns daemon"; description = "ncdns daemon";

1
nixos/modules/services/networking/networkmanager.nix
View File

@ -464,6 +464,7 @@ in {
users.users = { users.users = {
nm-openvpn = { nm-openvpn = {
uid = config.ids.uids.nm-openvpn; uid = config.ids.uids.nm-openvpn;
group = "nm-openvpn";
extraGroups = [ "networkmanager" ]; extraGroups = [ "networkmanager" ];
}; };
nm-iodine = { nm-iodine = {

5
nixos/modules/services/networking/ngircd.nix
View File

@ -52,8 +52,11 @@ in {
}; };
users.users.ngircd = { users.users.ngircd = {
uid = config.ids.uids.ngircd; isSystemUser = true;
group = "ngircd";
description = "ngircd user."; description = "ngircd user.";
}; };
users.groups.ngircd = {};
}; };
} }

2
nixos/modules/services/networking/pleroma.nix
View File

@ -74,7 +74,7 @@ in {
users."${cfg.user}" = { users."${cfg.user}" = {
description = "Pleroma user"; description = "Pleroma user";
home = cfg.stateDir; home = cfg.stateDir;
extraGroups = [ cfg.group ]; group = cfg.group;
isSystemUser = true; isSystemUser = true;
}; };
groups."${cfg.group}" = {}; groups."${cfg.group}" = {};

7
nixos/modules/services/networking/radicale.nix
View File

@ -140,9 +140,12 @@ in {
environment.systemPackages = [ pkg ]; environment.systemPackages = [ pkg ];
users.users.radicale.uid = config.ids.uids.radicale; users.users.radicale = {
isSystemUser = true;
group = "radicale";
};
users.groups.radicale.gid = config.ids.gids.radicale; users.groups.radicale = {};
systemd.services.radicale = { systemd.services.radicale = {
description = "A Simple Calendar and Contact Server"; description = "A Simple Calendar and Contact Server";

5
nixos/modules/services/networking/radvd.nix
View File

@ -55,9 +55,12 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
users.users.radvd = users.users.radvd =
{ uid = config.ids.uids.radvd; {
isSystemUser = true;
group = "radvd";
description = "Router Advertisement Daemon User"; description = "Router Advertisement Daemon User";
}; };
users.groups.radvd = {};
systemd.services.radvd = systemd.services.radvd =
{ description = "IPv6 Router Advertisement Daemon"; { description = "IPv6 Router Advertisement Daemon";

5
nixos/modules/services/networking/smokeping.nix
View File

@ -259,7 +259,7 @@ in
user = mkOption { user = mkOption {
type = types.str; type = types.str;
default = "smokeping"; default = "smokeping";
description = "User that runs smokeping and (optionally) thttpd"; description = "User that runs smokeping and (optionally) thttpd. A group of the same name will be created as well.";
}; };
webService = mkOption { webService = mkOption {
type = types.bool; type = types.bool;
@ -285,11 +285,12 @@ in
users.users.${cfg.user} = { users.users.${cfg.user} = {
isNormalUser = false; isNormalUser = false;
isSystemUser = true; isSystemUser = true;
uid = config.ids.uids.smokeping; group = cfg.user;
description = "smokeping daemon user"; description = "smokeping daemon user";
home = smokepingHome; home = smokepingHome;
createHome = true; createHome = true;
}; };
users.groups.${cfg.user} = {};
systemd.services.smokeping = { systemd.services.smokeping = {
wantedBy = [ "multi-user.target"]; wantedBy = [ "multi-user.target"];
serviceConfig = { serviceConfig = {

5
nixos/modules/services/networking/ssh/sshd.nix
View File

@ -401,9 +401,12 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
users.users.sshd = users.users.sshd =
{ isSystemUser = true; {
isSystemUser = true;
group = "sshd";
description = "SSH privilege separation user"; description = "SSH privilege separation user";
}; };
users.groups.sshd = {};
services.openssh.moduliFile = mkDefault "${cfgc.package}/etc/ssh/moduli"; services.openssh.moduliFile = mkDefault "${cfgc.package}/etc/ssh/moduli";
services.openssh.sftpServerExecutable = mkDefault "${cfgc.package}/libexec/sftp-server"; services.openssh.sftpServerExecutable = mkDefault "${cfgc.package}/libexec/sftp-server";

6
nixos/modules/services/networking/tinydns.nix
View File

@ -32,7 +32,11 @@ with lib;
config = mkIf config.services.tinydns.enable { config = mkIf config.services.tinydns.enable {
environment.systemPackages = [ pkgs.djbdns ]; environment.systemPackages = [ pkgs.djbdns ];
users.users.tinydns.isSystemUser = true; users.users.tinydns = {
isSystemUser = true;
group = "tinydns";
};
users.groups.tinydns = {};
systemd.services.tinydns = { systemd.services.tinydns = {
description = "djbdns tinydns server"; description = "djbdns tinydns server";

4
nixos/modules/services/scheduling/atd.nix
View File

@ -58,7 +58,9 @@ in
security.pam.services.atd = {}; security.pam.services.atd = {};
users.users.atd = users.users.atd =
{ uid = config.ids.uids.atd; {
uid = config.ids.uids.atd;
group = "atd";
description = "atd user"; description = "atd user";
home = "/var/empty"; home = "/var/empty";
}; };

4
nixos/modules/services/search/kibana.nix
View File

@ -199,10 +199,12 @@ in {
environment.systemPackages = [ cfg.package ]; environment.systemPackages = [ cfg.package ];
users.users.kibana = { users.users.kibana = {
uid = config.ids.uids.kibana; isSystemUser = true;
description = "Kibana service user"; description = "Kibana service user";
home = cfg.dataDir; home = cfg.dataDir;
createHome = true; createHome = true;
group = "kibana";
}; };
users.groups.kibana = {};
}; };
} }

2
nixos/modules/services/security/hockeypuck.nix
View File

@ -82,8 +82,10 @@ in {
users.users.hockeypuck = { users.users.hockeypuck = {
isSystemUser = true; isSystemUser = true;
group = "hockeypuck";
description = "Hockeypuck user"; description = "Hockeypuck user";
}; };
users.groups.hockeypuck = {};
systemd.services.hockeypuck = { systemd.services.hockeypuck = {
description = "Hockeypuck OpenPGP Key Server"; description = "Hockeypuck OpenPGP Key Server";

2
nixos/modules/services/torrent/magnetico.nix
View File

@ -172,8 +172,10 @@ in {
users.users.magnetico = { users.users.magnetico = {
description = "Magnetico daemons user"; description = "Magnetico daemons user";
group = "magnetico";
isSystemUser = true; isSystemUser = true;
}; };
users.groups.magnetico = {};
systemd.services.magneticod = { systemd.services.magneticod = {
description = "Magnetico DHT crawler"; description = "Magnetico DHT crawler";

6
nixos/modules/services/torrent/peerflix.nix
View File

@ -60,6 +60,10 @@ in {
}; };
}; };
users.users.peerflix.uid = config.ids.uids.peerflix; users.users.peerflix = {
isSystemUser = true;
group = "peerflix";
};
users.groups.peerflix = {};
}; };
} }

1
nixos/modules/services/web-apps/node-red.nix
View File

@ -114,6 +114,7 @@ in
users.users = optionalAttrs (cfg.user == defaultUser) { users.users = optionalAttrs (cfg.user == defaultUser) {
${defaultUser} = { ${defaultUser} = {
isSystemUser = true; isSystemUser = true;
group = defaultUser;
}; };
}; };

15
nixos/modules/system/boot/systemd.nix
View File

@ -1056,10 +1056,19 @@ in
services.dbus.enable = true; services.dbus.enable = true;
users.users.systemd-coredump.uid = config.ids.uids.systemd-coredump; users.users.systemd-coredump = {
users.users.systemd-network.uid = config.ids.uids.systemd-network; uid = config.ids.uids.systemd-coredump;
group = "systemd-coredump";
};
users.users.systemd-network = {
uid = config.ids.uids.systemd-network;
group = "systemd-network";
};
users.groups.systemd-network.gid = config.ids.gids.systemd-network; users.groups.systemd-network.gid = config.ids.gids.systemd-network;
users.users.systemd-resolve.uid = config.ids.uids.systemd-resolve; users.users.systemd-resolve = {
uid = config.ids.uids.systemd-resolve;
group = "systemd-resolve";
};
users.groups.systemd-resolve.gid = config.ids.gids.systemd-resolve; users.groups.systemd-resolve.gid = config.ids.gids.systemd-resolve;
# Target for charon send-keys to hook into. # Target for charon send-keys to hook into.

2
nixos/modules/virtualisation/lxd.nix
View File

@ -158,7 +158,7 @@ in {
}; };
}; };
users.groups.lxd.gid = config.ids.gids.lxd; users.groups.lxd = {};
users.users.root = { users.users.root = {
subUidRanges = [ { startUid = 1000000; count = 65536; } ]; subUidRanges = [ { startUid = 1000000; count = 65536; } ];

11
nixos/tests/unbound.nix
View File

@ -145,13 +145,22 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
# user that is permitted to access the unix socket # user that is permitted to access the unix socket
someuser = { someuser = {
isSystemUser = true; isSystemUser = true;
group = "someuser";
extraGroups = [ extraGroups = [
config.users.users.unbound.group config.users.users.unbound.group
]; ];
}; };
# user that is not permitted to access the unix socket # user that is not permitted to access the unix socket
unauthorizeduser = { isSystemUser = true; }; unauthorizeduser = {
isSystemUser = true;
group = "unauthorizeduser";
};
};
users.groups = {
someuser = {};
unauthorizeduser = {};
}; };
# Used for testing configuration reloading # Used for testing configuration reloading