nixos/users-groups: rename passwordFile in hashedPasswordFile

This avoids the possible confusion with `passwordFile` being the file
version of `password`, while it should contain the password hash.

Fixes issue #165858.
This commit is contained in:
rnhmjoj 2023-09-08 21:13:31 +02:00
parent ef14cdd5b9
commit 5666a378cb
No known key found for this signature in database
GPG key ID: BFBAF4C975F76450
2 changed files with 28 additions and 14 deletions

View file

@ -87,6 +87,8 @@
- `getent` has been moved from `glibc`'s `bin` output to its own dedicated output, reducing closure size for many dependents. Dependents using the `getent` alias should not be affected; others should move from using `glibc.bin` or `getBin glibc` to `getent` (which also improves compatibility with non-glibc platforms).
- The `users.users.<name>.passwordFile` has been renamed to `users.users.<name>.hashedPasswordFile` to avoid possible confusions. The option is in fact the file-based version of `hashedPassword`, not `password`, and expects a file containing the {manpage}`crypt(3)` hash of the user password.
- The `services.ananicy.extraRules` option now has the type of `listOf attrs` instead of `string`.
- The `matrix-synapse` package & module have undergone some significant internal changes, for most setups no intervention is needed, though:

View file

@ -18,11 +18,11 @@ let
passwordDescription = ''
The options {option}`hashedPassword`,
{option}`password` and {option}`passwordFile`
{option}`password` and {option}`hashedPasswordFile`
controls what password is set for the user.
{option}`hashedPassword` overrides both
{option}`password` and {option}`passwordFile`.
{option}`password` overrides {option}`passwordFile`.
{option}`password` and {option}`hashedPasswordFile`.
{option}`password` overrides {option}`hashedPasswordFile`.
If none of these three options are set, no password is assigned to
the user, and the user will not be able to do password logins.
If the option {option}`users.mutableUsers` is true, the
@ -250,18 +250,26 @@ let
'';
};
passwordFile = mkOption {
hashedPasswordFile = mkOption {
type = with types; nullOr str;
default = null;
default = cfg.users.${name}.passwordFile;
defaultText = literalExpression "null";
description = lib.mdDoc ''
The full path to a file that contains the user's password. The password
file is read on each system activation. The file should contain
exactly one line, which should be the password in an encrypted form
that is suitable for the `chpasswd -e` command.
The full path to a file that contains the hash of the user's
password. The password file is read on each system activation. The
file should contain exactly one line, which should be the password in
an encrypted form that is suitable for the `chpasswd -e` command.
${passwordDescription}
'';
};
passwordFile = mkOption {
type = with types; nullOr (passwdEntry str);
default = null;
visible = false;
description = lib.mdDoc "Deprecated alias of hashedPasswordFile";
};
initialHashedPassword = mkOption {
type = with types; nullOr (passwdEntry str);
default = null;
@ -447,7 +455,7 @@ let
users = mapAttrsToList (_: u:
{ inherit (u)
name uid group description home homeMode createHome isSystemUser
password passwordFile hashedPassword
password hashedPasswordFile hashedPassword
autoSubUidGidRange subUidRanges subGidRanges
initialPassword initialHashedPassword expires;
shell = utils.toShellPath u.shell;
@ -756,7 +764,7 @@ in {
&&
(allowsLogin cfg.hashedPassword
|| cfg.password != null
|| cfg.passwordFile != null
|| cfg.hashedPasswordFile != null
|| cfg.openssh.authorizedKeys.keys != []
|| cfg.openssh.authorizedKeys.keyFiles != [])
) cfg.users ++ [
@ -845,9 +853,13 @@ in {
The password hash of user "${user.name}" may be invalid. You must set a
valid hash or the user will be locked out of their account. Please
check the value of option `users.users."${user.name}".hashedPassword`.''
else null
));
else null)
++ flip mapAttrsToList cfg.users (name: user:
if user.passwordFile != null then
''The option `users.users."${name}".passwordFile' has been renamed '' +
''to `users.users."${name}".hashedPasswordFile'.''
else null)
);
};
}