646b892680
Some checks failed
Periodic Merges (6h) / master → staging-nixos (push) Failing after 12m50s
Periodic Merges (6h) / master → staging-next (push) Failing after 12m54s
Periodic Merges (24h) / merge-base(master,staging) → haskell-updates (push) Failing after 11m54s
Periodic Merges (6h) / staging-next → staging (push) Failing after 12m13s
Periodic Merges (24h) / staging-next-25.05 → staging-25.05 (push) Failing after 13m24s
Periodic Merges (24h) / release-25.05 → staging-next-25.05 (push) Failing after 14m28s
85 lines
3.1 KiB
Nix
85 lines
3.1 KiB
Nix
{ config, lib, ... }:
|
|
|
|
let
|
|
cfg = config.services.userdbd;
|
|
|
|
# List of system users that will be incorrectly treated as regular/normal
|
|
# users by userdb.
|
|
highSystemUsers = lib.filter (
|
|
user: user.enable && user.isSystemUser && (lib.defaultTo 0 user.uid) >= 1000 && user.uid != 65534
|
|
) (lib.attrValues config.users.users);
|
|
in
|
|
{
|
|
options.services.userdbd = {
|
|
enable = lib.mkEnableOption ''
|
|
the systemd JSON user/group record lookup service
|
|
'';
|
|
|
|
enableSSHSupport = lib.mkEnableOption ''
|
|
exposing OpenSSH public keys defined in userdb. Be aware that this
|
|
enables modifying public keys at runtime, either by users managed by
|
|
{option}`services.homed`, or globally via drop-in files
|
|
'';
|
|
|
|
silenceHighSystemUsers = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = false;
|
|
example = true;
|
|
description = "Silence warning about system users with high UIDs.";
|
|
visible = false;
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
assertions = lib.singleton {
|
|
assertion = cfg.enableSSHSupport -> config.security.enableWrappers;
|
|
message = "OpenSSH userdb integration requires security wrappers.";
|
|
};
|
|
|
|
warnings = lib.optional (lib.length highSystemUsers > 0 && !cfg.silenceHighSystemUsers) ''
|
|
The following system users have UIDs higher than 1000:
|
|
|
|
${lib.concatLines (lib.map (user: user.name) highSystemUsers)}
|
|
|
|
These users will be recognized by systemd-userdb as "regular" users, not
|
|
"system" users. This will affect programs that query regular users, such
|
|
as systemd-homed, which will not run the first boot user creation flow,
|
|
as regular users already exist.
|
|
|
|
To fix this issue, please remove or redefine these system users to have
|
|
UIDs below 1000. For Nix build users, it's possible to adjust the base
|
|
build user ID using the `ids.uids.nixbld` option, however care must be
|
|
taken to avoid collisions with UIDs of other services. Alternatively, you
|
|
may enable the `auto-allocate-uids` experimental feature and option in
|
|
the Nix configuration to avoid creating these users, however please note
|
|
that this option is experimental and subject to change.
|
|
|
|
Alternatively, to acknowledge and silence this warning, set
|
|
`services.userdbd.silenceHighSystemUsers` to true.
|
|
'';
|
|
|
|
systemd.additionalUpstreamSystemUnits = [
|
|
"systemd-userdbd.socket"
|
|
"systemd-userdbd.service"
|
|
];
|
|
|
|
systemd.sockets.systemd-userdbd.wantedBy = [ "sockets.target" ];
|
|
|
|
# OpenSSH requires AuthorizedKeysCommand to be owned only by root.
|
|
# Referencing `userdbctl` directly from the Nix store won't work, as
|
|
# `/nix/store` is owned by the `nixbld` group.
|
|
security.wrappers = lib.mkIf cfg.enableSSHSupport {
|
|
userdbctl = {
|
|
owner = "root";
|
|
group = "root";
|
|
source = lib.getExe' config.systemd.package "userdbctl";
|
|
};
|
|
};
|
|
|
|
services.openssh = lib.mkIf cfg.enableSSHSupport {
|
|
authorizedKeysCommand = "/run/wrappers/bin/userdbctl ssh-authorized-keys %u";
|
|
authorizedKeysCommandUser = "root";
|
|
};
|
|
};
|
|
}
|