treewide: Switch to system users (#71055)

treewide: Switch to system users
This commit is contained in:
Silvan Mosberger 2019-11-01 13:26:43 +01:00 committed by GitHub
commit dd0a47e7ae
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
47 changed files with 80 additions and 16 deletions

View file

@ -69,6 +69,7 @@ in {
users.users.x2go = {
home = "/var/lib/x2go/db";
group = "x2go";
isSystemUser = true;
};
security.wrappers.x2gosqliteWrapper = {

View file

@ -89,6 +89,7 @@ in
group = cfg.group;
home = cfg.dataDir;
createHome = true;
isSystemUser = true;
};
systemd.services.oxidized = {

View file

@ -223,6 +223,7 @@ in {
group = "jackaudio";
extraGroups = [ "audio" ];
description = "JACK Audio system service user";
isSystemUser = true;
};
# http://jackaudio.org/faq/linux_rt_config.html
security.pam.loginLimits = [

View file

@ -99,7 +99,10 @@ in
environment.systemPackages = [ pkg ];
users.users.${user}.group = group;
users.users.${user} = {
group = group;
isSystemUser = true;
};
users.groups.${group} = { };
systemd.tmpfiles.rules = [

View file

@ -191,6 +191,7 @@ in
createHome = true;
description = "Buildkite agent user";
extraGroups = [ "keys" ];
isSystemUser = true;
};
environment.systemPackages = [ cfg.package ];

View file

@ -194,7 +194,10 @@ in
allowedTCPPorts = [ cfg.port ];
};
users.users.redis.description = "Redis database user";
users.users.redis = {
description = "Redis database user";
isSystemUser = true;
};
environment.systemPackages = [ cfg.package ];

View file

@ -99,6 +99,7 @@ in
users.users.rethinkdb = mkIf (cfg.user == "rethinkdb")
{ name = "rethinkdb";
description = "RethinkDB server user";
isSystemUser = true;
};
users.groups = optionalAttrs (cfg.group == "rethinkdb") (singleton

View file

@ -115,6 +115,7 @@ in {
{ name = "infinoted";
description = "Infinoted user";
group = cfg.group;
isSystemUser = true;
};
users.groups = optional (cfg.group == "infinoted")
{ name = "infinoted";

View file

@ -61,6 +61,7 @@ in {
users.users.trezord = {
group = "trezord";
description = "Trezor bridge daemon user";
isSystemUser = true;
};
users.groups.trezord = {};

View file

@ -47,6 +47,7 @@ in
name = cfg.user;
description = "usbmuxd user";
group = cfg.group;
isSystemUser = true;
};
users.groups = optional (cfg.group == defaultUserGroup) {

View file

@ -66,6 +66,7 @@ in {
users.users.vdr = {
group = "vdr";
home = libDir;
isSystemUser = true;
};
users.groups.vdr = {};

View file

@ -27,6 +27,7 @@ in {
users.users.mailhog = {
name = cfg.user;
description = "MailHog service user";
isSystemUser = true;
};
systemd.services.mailhog = {

View file

@ -148,6 +148,7 @@ in {
name = cfg.user;
home = cfg.home;
createHome = true;
isSystemUser = true;
};
};
}

View file

@ -145,11 +145,13 @@ in {
};
users.users.docker-registry =
if cfg.storagePath != null
(if cfg.storagePath != null
then {
createHome = true;
home = cfg.storagePath;
}
else {};
else {}) // {
isSystemUser = true;
};
};
}

View file

@ -76,7 +76,10 @@ in {
};
config = mkIf (cfg.instances != {}) {
users.users.errbot.group = "errbot";
users.users.errbot = {
group = "errbot";
isSystemUser = true;
};
users.groups.errbot = {};
systemd.services = mapAttrs' (name: instanceCfg: nameValuePair "errbot-${name}" (

View file

@ -409,6 +409,7 @@ in
home = cfg.stateDir;
useDefaultShell = true;
group = "gitea";
isSystemUser = true;
};
};

View file

@ -71,6 +71,7 @@ in
group = config.users.users.gollum.name;
description = "Gollum user";
createHome = false;
isSystemUser = true;
};
users.groups.gollum = { };

View file

@ -41,7 +41,10 @@ in
};
users.users = mkIf (cfg.user == "jellyfin") {
jellyfin.group = cfg.group;
jellyfin = {
group = cfg.group;
isSystemUser = true;
};
};
users.groups = mkIf (cfg.group == "jellyfin") {

View file

@ -59,6 +59,7 @@ in
group = config.users.users.osrm.name;
description = "OSRM user";
createHome = false;
isSystemUser = true;
};
users.groups.osrm = { };

View file

@ -131,6 +131,7 @@ in {
users.users = optional (cfg.user == "collectd") {
name = "collectd";
isSystemUser = true;
};
};
}

View file

@ -49,6 +49,7 @@ in {
users.users = singleton {
name = "fusion-inventory";
description = "FusionInventory user";
isSystemUser = true;
};
systemd.services.fusion-inventory = {

View file

@ -181,6 +181,7 @@ in {
users.users = optional (cfg.user == defaultUser) {
name = defaultUser;
isSystemUser = true;
};
users.groups = optional (cfg.group == defaultUser) {

View file

@ -131,6 +131,7 @@ in
users.users.${user} = {
description = "Zabbix Agent daemon user";
inherit group;
isSystemUser = true;
};
users.groups.${group} = { };

View file

@ -187,6 +187,7 @@ in {
group = cfg.group;
description = "Bitcoin daemon user";
home = cfg.dataDir;
isSystemUser = true;
};
users.groups.${cfg.group} = {
name = cfg.group;

View file

@ -84,7 +84,7 @@ in {
config = mkIf config.services.dnscache.enable {
environment.systemPackages = [ pkgs.djbdns ];
users.users.dnscache = {};
users.users.dnscache.isSystemUser = true;
systemd.services.dnscache = {
description = "djbdns dnscache server";

View file

@ -142,6 +142,7 @@ in {
description = "dnscrypt-wrapper daemon user";
home = "${dataDir}";
createHome = true;
isSystemUser = true;
};
users.groups.dnscrypt-wrapper = { };

View file

@ -138,6 +138,7 @@ in
users.users = singleton {
name = hansUser;
description = "Hans daemon user";
isSystemUser = true;
};
};

View file

@ -95,6 +95,7 @@ in
users.users = optional (cfg.user == "matterbridge")
{ name = "matterbridge";
group = "matterbridge";
isSystemUser = true;
};
users.groups = optional (cfg.group == "matterbridge")

View file

@ -74,6 +74,7 @@ in
{ description = "Morty user";
createHome = true;
home = "/var/lib/morty";
isSystemUser = true;
};
systemd.services.morty =

View file

@ -96,6 +96,7 @@ in
users.groups.nghttpx = { };
users.users.nghttpx = {
group = config.users.groups.nghttpx.name;
isSystemUser = true;
};

View file

@ -21,6 +21,7 @@ in
name = "owamp";
group = "owamp";
description = "Owamp daemon";
isSystemUser = true;
};
users.groups = singleton {

View file

@ -56,6 +56,7 @@ in {
users.users.thelounge = {
description = "thelounge service user";
group = "thelounge";
isSystemUser = true;
};
users.groups.thelounge = {};
systemd.services.thelounge = {

View file

@ -32,7 +32,7 @@ with lib;
config = mkIf config.services.tinydns.enable {
environment.systemPackages = [ pkgs.djbdns ];
users.users.tinydns = {};
users.users.tinydns.isSystemUser = true;
systemd.services.tinydns = {
description = "djbdns tinydns server";

View file

@ -93,6 +93,6 @@ in {
};
};
users.users.${cfg.user} = { };
users.users.${cfg.user}.isSystemUser = true;
};
}

View file

@ -74,7 +74,10 @@ in {
webVaultEnabled = mkDefault true;
};
users.users.bitwarden_rs = { inherit group; };
users.users.bitwarden_rs = {
inherit group;
isSystemUser = true;
};
users.groups.bitwarden_rs = { };
systemd.services.bitwarden_rs = {

View file

@ -546,6 +546,7 @@ in
users.users.oauth2_proxy = {
description = "OAuth2 Proxy";
isSystemUser = true;
};
systemd.services.oauth2_proxy = {

View file

@ -171,6 +171,7 @@ in {
users.users.magnetico = {
description = "Magnetico daemons user";
isSystemUser = true;
};
systemd.services.magneticod = {

View file

@ -893,6 +893,7 @@ in
extraGroups = cfg.groups;
home = cfg.workDir;
createHome = true;
isSystemUser = true;
};
systemd.services.codimd = {

View file

@ -177,6 +177,7 @@ in
{ name = cfg.user;
group = cfg.group;
home = "${cfg.statePath}";
isSystemUser = true;
}
];

View file

@ -277,7 +277,10 @@ in
systemd.services.httpd.after = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service";
users.users.${user}.group = group;
users.users.${user} = {
group = group;
isSystemUser = true;
};
};
}

View file

@ -461,7 +461,10 @@ in
systemd.services.httpd.after = optional (cfg.database.createLocally && cfg.database.type == "mysql") "mysql.service";
users.users.${user}.group = group;
users.users.${user} = {
group = group;
isSystemUser = true;
};
environment.systemPackages = [ mediawikiScripts ];
};

View file

@ -309,7 +309,9 @@ in
systemd.services.httpd.after = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service";
users.users.${user}.group = group;
users.users.${user} = {
group = group;
isSystemUser = true;
};
};
}

View file

@ -54,6 +54,7 @@ in
home = stateDir;
createHome = true;
group = mkIf config.virtualisation.libvirtd.enable "libvirtd";
isSystemUser = true;
};
systemd.services.virtlyst = {

View file

@ -367,7 +367,10 @@ in
})
];
users.users.${user}.group = group;
users.users.${user} = {
group = group;
isSystemUser = true;
};
};
}

View file

@ -102,7 +102,10 @@ with lib;
environment.systemPackages = [ pkgs.hitch ];
users.users.hitch.group = "hitch";
users.users.hitch = {
group = "hitch";
isSystemUser = true;
};
users.groups.hitch = {};
};
}

View file

@ -117,6 +117,7 @@ in {
group = "traefik";
home = cfg.dataDir;
createHome = true;
isSystemUser = true;
};
users.groups.traefik = {};

View file

@ -116,6 +116,7 @@ in {
users.users = optionalAttrs (cfg.user == "unit") (singleton {
name = "unit";
group = cfg.group;
isSystemUser = true;
});
users.groups = optionalAttrs (cfg.group == "unit") (singleton {