pyrox.dev / nixpkgs
lol
fork atom

nixos/users-groups: Add assert on null shells (#279431)

Philip Taron f041d52e b285588a

options
unified split
Changed files
+11 -1
nixos
modules
config
users-groups.nix
+11 -1
nixos/modules/config/users-groups.nix 
···

       
557

       
557

       
 

       
  sdInitrdGidsAreUnique = idsAreUnique (filterAttrs (n: g: g.gid != null) config.boot.initrd.systemd.groups) "gid";


     

       
558

       
558

       
 

       
  groupNames = lib.mapAttrsToList (n: g: g.name) cfg.groups;


     

       
559

       
559

       
 

       
  usersWithoutExistingGroup = lib.filterAttrs (n: u: u.group != "" && !lib.elem u.group groupNames) cfg.users;


     

       

       
560

       
+

       
  usersWithNullShells = attrNames (filterAttrs (name: cfg: cfg.shell == null) cfg.users);


     

       
560

       
561

       
 

       



     

       
561

       
562

       
 

       
  spec = pkgs.writeText "users-groups.json" (builtins.toJSON {


     

       
562

       
563

       
 

       
    inherit (cfg) mutableUsers;


     
···

       
910

       
911

       
 

       
              ${lib.concatStringsSep "\n  " (map mkConfigHint missingGroups)}


     

       
911

       
912

       
 

       
          '';


     

       
912

       
913

       
 

       
      }


     

       

       
914

       
+

       
      {


     

       

       
915

       
+

       
        assertion = !cfg.mutableUsers -> length usersWithNullShells == 0;


     

       

       
916

       
+

       
        message = ''


     

       

       
917

       
+

       
          users.mutableUsers = false has been set,


     

       

       
918

       
+

       
          but found users that have their shell set to null.


     

       

       
919

       
+

       
          If you wish to disable login, set their shell to pkgs.shadow (the default).


     

       

       
920

       
+

       
          Misconfigured users: ${lib.concatStringsSep " " usersWithNullShells}


     

       

       
921

       
+

       
        '';


     

       

       
922

       
+

       
      }


     

       
913

       
923

       
 

       
      { # If mutableUsers is false, to prevent users creating a


     

       
914

       
924

       
 

       
        # configuration that locks them out of the system, ensure that


     

       
915

       
925

       
 

       
        # there is at least one "privileged" account that has a


     

       
916

       
926

       
 

       
        # password or an SSH authorized key. Privileged accounts are


     

       
917

       
927

       
 

       
        # root and users in the wheel group.


     

       
918

       

       
-

       
        # The check does not apply when users.disableLoginPossibilityAssertion


     

       

       
928

       
+

       
        # The check does not apply when users.allowNoPasswordLogin


     

       
919

       
929

       
 

       
        # The check does not apply when users.mutableUsers


     

       
920

       
930

       
 

       
        assertion = !cfg.mutableUsers -> !cfg.allowNoPasswordLogin ->


     

       
921

       
931

       
 

       
          any id (mapAttrsToList (name: cfg: