commit e70b42bf612e65693c95fab37ff0de725858ed8e · pyrox.dev/nixpkgs

+92

nixos/modules/config/users-groups.nix

···

       428
       428
        
       

     

       429
       429
        
         uidsAreUnique = idsAreUnique (filterAttrs (n: u: u.uid != null) cfg.users) "uid";

     

       430
       430
        
         gidsAreUnique = idsAreUnique (filterAttrs (n: g: g.gid != null) cfg.groups) "gid";

     

       431
       431
       +
         sdInitrdUidsAreUnique = idsAreUnique (filterAttrs (n: u: u.uid != null) config.boot.initrd.systemd.users) "uid";

     

       432
       432
       +
         sdInitrdGidsAreUnique = idsAreUnique (filterAttrs (n: g: g.gid != null) config.boot.initrd.systemd.groups) "gid";

     

       431
       433
        
       

     

       432
       434
        
         spec = pkgs.writeText "users-groups.json" (builtins.toJSON {

     

       433
       435
        
           inherit (cfg) mutableUsers;

     
···

       534
       536
        
               WARNING: enabling this can lock you out of your system. Enable this only if you know what are you doing.

     

       535
       537
        
             '';

     

       536
       538
        
           };

     

       539
       539
       +
       

     

       540
       540
       +
           # systemd initrd

     

       541
       541
       +
           boot.initrd.systemd.users = mkOption {

     

       542
       542
       +
             visible = false;

     

       543
       543
       +
             description = ''

     

       544
       544
       +
               Users to include in initrd.

     

       545
       545
       +
             '';

     

       546
       546
       +
             default = {};

     

       547
       547
       +
             type = types.attrsOf (types.submodule ({ name, ... }: {

     

       548
       548
       +
               options.uid = mkOption {

     

       549
       549
       +
                 visible = false;

     

       550
       550
       +
                 type = types.int;

     

       551
       551
       +
                 description = ''

     

       552
       552
       +
                   ID of the user in initrd.

     

       553
       553
       +
                 '';

     

       554
       554
       +
                 defaultText = literalExpression "config.users.users.\${name}.uid";

     

       555
       555
       +
                 default = cfg.users.${name}.uid;

     

       556
       556
       +
               };

     

       557
       557
       +
               options.group = mkOption {

     

       558
       558
       +
                 visible = false;

     

       559
       559
       +
                 type = types.singleLineStr;

     

       560
       560
       +
                 description = ''

     

       561
       561
       +
                   Group the user belongs to in initrd.

     

       562
       562
       +
                 '';

     

       563
       563
       +
                 defaultText = literalExpression "config.users.users.\${name}.group";

     

       564
       564
       +
                 default = cfg.users.${name}.group;

     

       565
       565
       +
               };

     

       566
       566
       +
             }));

     

       567
       567
       +
           };

     

       568
       568
       +
       

     

       569
       569
       +
           boot.initrd.systemd.groups = mkOption {

     

       570
       570
       +
             visible = false;

     

       571
       571
       +
             description = ''

     

       572
       572
       +
               Groups to include in initrd.

     

       573
       573
       +
             '';

     

       574
       574
       +
             default = {};

     

       575
       575
       +
             type = types.attrsOf (types.submodule ({ name, ... }: {

     

       576
       576
       +
               options.gid = mkOption {

     

       577
       577
       +
                 visible = false;

     

       578
       578
       +
                 type = types.int;

     

       579
       579
       +
                 description = ''

     

       580
       580
       +
                   ID of the group in initrd.

     

       581
       581
       +
                 '';

     

       582
       582
       +
                 defaultText = literalExpression "config.users.groups.\${name}.gid";

     

       583
       583
       +
                 default = cfg.groups.${name}.gid;

     

       584
       584
       +
               };

     

       585
       585
       +
             }));

     

       586
       586
       +
           };

     

       537
       587
        
         };

     

       538
       588
        
       

     

       539
       589
        
       

     
···

       639
       689
        
             "/etc/profiles/per-user/$USER"

     

       640
       690
        
           ];

     

       641
       691
        
       

     

       692
       692
       +
           # systemd initrd

     

       693
       693
       +
           boot.initrd.systemd = lib.mkIf config.boot.initrd.systemd.enable {

     

       694
       694
       +
             contents = {

     

       695
       695
       +
               "/etc/passwd".text = ''

     

       696
       696
       +
                 ${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: { uid, group }: let

     

       697
       697
       +
                   g = config.boot.initrd.systemd.groups.${group};

     

       698
       698
       +
                 in "${n}:x:${toString uid}:${toString g.gid}::/var/empty:") config.boot.initrd.systemd.users)}

     

       699
       699
       +
               '';

     

       700
       700
       +
               "/etc/group".text = ''

     

       701
       701
       +
                 ${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: { gid }: "${n}:x:${toString gid}:") config.boot.initrd.systemd.groups)}

     

       702
       702
       +
               '';

     

       703
       703
       +
             };

     

       704
       704
       +
       

     

       705
       705
       +
             users = {

     

       706
       706
       +
               root = {};

     

       707
       707
       +
               nobody = {};

     

       708
       708
       +
             };

     

       709
       709
       +
       

     

       710
       710
       +
             groups = {

     

       711
       711
       +
               root = {};

     

       712
       712
       +
               nogroup = {};

     

       713
       713
       +
               systemd-journal = {};

     

       714
       714
       +
               tty = {};

     

       715
       715
       +
               dialout = {};

     

       716
       716
       +
               kmem = {};

     

       717
       717
       +
               input = {};

     

       718
       718
       +
               video = {};

     

       719
       719
       +
               render = {};

     

       720
       720
       +
               sgx = {};

     

       721
       721
       +
               audio = {};

     

       722
       722
       +
               video = {};

     

       723
       723
       +
               lp = {};

     

       724
       724
       +
               disk = {};

     

       725
       725
       +
               cdrom = {};

     

       726
       726
       +
               tape = {};

     

       727
       727
       +
               kvm = {};

     

       728
       728
       +
             };

     

       729
       729
       +
           };

     

       730
       730
       +
       

     

       642
       731
        
           assertions = [

     

       643
       732
        
             { assertion = !cfg.enforceIdUniqueness || (uidsAreUnique && gidsAreUnique);

     

       644
       733
        
               message = "UIDs and GIDs must be unique!";

     

       734
       734
       +
             }

     

       735
       735
       +
             { assertion = !cfg.enforceIdUniqueness || (sdInitrdUidsAreUnique && sdInitrdGidsAreUnique);

     

       736
       736
       +
               message = "systemd initrd UIDs and GIDs must be unique!";

     

       645
       737
        
             }

     

       646
       738
        
             { # If mutableUsers is false, to prevent users creating a

     

       647
       739
        
               # configuration that locks them out of the system, ensure that

-1

nixos/modules/system/boot/systemd/initrd.nix

···

       388
       388
        
       

     

       389
       389
        
               "/etc/modules-load.d/nixos.conf".text = concatStringsSep "\n" config.boot.initrd.kernelModules;

     

       390
       390
        
       

     

       391
       391
       -
               "/etc/passwd".source = "${pkgs.fakeNss}/etc/passwd";

     

       392
       391
        
               # We can use either ! or * to lock the root account in the

     

       393
       392
        
               # console, but some software like OpenSSH won't even allow you

     

       394
       393
        
               # to log in with an SSH key if you use ! so we use * instead

nixos/tests/systemd-initrd-simple.nix

···

       27
       27
        
               machine.succeed("[ -e /dev/pts/ptmx ]") # /dev/pts

     

       28
       28
        
               machine.succeed("[ -e /run/keys ]") # /run/keys

     

       29
       29
        
       

     

       30
       30
       +
           with subtest("groups work"):

     

       31
       31
       +
               machine.fail("journalctl -b 0 | grep 'systemd-udevd.*Unknown group.*ignoring'")

     

       30
       32
        
       

     

       31
       33
        
           with subtest("growfs works"):

     

       32
       34
        
               oldAvail = machine.succeed("df --output=avail / | sed 1d")