nixos/modules/system/boot/systemd/userdbd.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / system / boot / systemd / userdbd.nix
at master 3.1 kB view raw
 1{ config, lib, ... }:
 2
 3let
 4  cfg = config.services.userdbd;
 5
 6  # List of system users that will be incorrectly treated as regular/normal
 7  # users by userdb.
 8  highSystemUsers = lib.filter (
 9    user: user.enable && user.isSystemUser && (lib.defaultTo 0 user.uid) >= 1000 && user.uid != 65534
10  ) (lib.attrValues config.users.users);
11in
12{
13  options.services.userdbd = {
14    enable = lib.mkEnableOption ''
15      the systemd JSON user/group record lookup service
16    '';
17
18    enableSSHSupport = lib.mkEnableOption ''
19      exposing OpenSSH public keys defined in userdb. Be aware that this
20      enables modifying public keys at runtime, either by users managed by
21      {option}`services.homed`, or globally via drop-in files
22    '';
23
24    silenceHighSystemUsers = lib.mkOption {
25      type = lib.types.bool;
26      default = false;
27      example = true;
28      description = "Silence warning about system users with high UIDs.";
29      visible = false;
30    };
31  };
32
33  config = lib.mkIf cfg.enable {
34    assertions = lib.singleton {
35      assertion = cfg.enableSSHSupport -> config.security.enableWrappers;
36      message = "OpenSSH userdb integration requires security wrappers.";
37    };
38
39    warnings = lib.optional (lib.length highSystemUsers > 0 && !cfg.silenceHighSystemUsers) ''
40      The following system users have UIDs higher than 1000:
41
42      ${lib.concatLines (lib.map (user: user.name) highSystemUsers)}
43
44      These users will be recognized by systemd-userdb as "regular" users, not
45      "system" users. This will affect programs that query regular users, such
46      as systemd-homed, which will not run the first boot user creation flow,
47      as regular users already exist.
48
49      To fix this issue, please remove or redefine these system users to have
50      UIDs below 1000. For Nix build users, it's possible to adjust the base
51      build user ID using the `ids.uids.nixbld` option, however care must be
52      taken to avoid collisions with UIDs of other services. Alternatively, you
53      may enable the `auto-allocate-uids` experimental feature and option in
54      the Nix configuration to avoid creating these users, however please note
55      that this option is experimental and subject to change.
56
57      Alternatively, to acknowledge and silence this warning, set
58      `services.userdbd.silenceHighSystemUsers` to true.
59    '';
60
61    systemd.additionalUpstreamSystemUnits = [
62      "systemd-userdbd.socket"
63      "systemd-userdbd.service"
64    ];
65
66    systemd.sockets.systemd-userdbd.wantedBy = [ "sockets.target" ];
67
68    # OpenSSH requires AuthorizedKeysCommand to be owned only by root.
69    # Referencing `userdbctl` directly from the Nix store won't work, as
70    # `/nix/store` is owned by the `nixbld` group.
71    security.wrappers = lib.mkIf cfg.enableSSHSupport {
72      userdbctl = {
73        owner = "root";
74        group = "root";
75        source = lib.getExe' config.systemd.package "userdbctl";
76      };
77    };
78
79    services.openssh = lib.mkIf cfg.enableSSHSupport {
80      authorizedKeysCommand = "/run/wrappers/bin/userdbctl ssh-authorized-keys %u";
81      authorizedKeysCommandUser = "root";
82    };
83  };
84}