diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 1a530b9f0135..5ed1f568f499 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -593,8 +593,8 @@ in { # password or an SSH authorized key. Privileged accounts are # root and users in the wheel group. assertion = !cfg.mutableUsers -> - any id ((mapAttrsToList (name: cfg: - (name == "root" + any id ((mapAttrsToList (_: cfg: + (cfg.name == "root" || cfg.group == "wheel" || elem "wheel" cfg.extraGroups) && @@ -615,16 +615,16 @@ in { assertion = (user.hashedPassword != null) -> (builtins.match ".*:.*" user.hashedPassword == null); message = '' - The password hash of user "${name}" contains a ":" character. + The password hash of user "${user.name}" contains a ":" character. This is invalid and would break the login system because the fields of /etc/shadow (file where hashes are stored) are colon-separated. - Please check the value of option `users.users."${name}".hashedPassword`.''; + Please check the value of option `users.users."${user.name}".hashedPassword`.''; } ); warnings = builtins.filter (x: x != null) ( - flip mapAttrsToList cfg.users (name: user: + flip mapAttrsToList cfg.users (_: user: # This regex matches a subset of the Modular Crypto Format (MCF)[1] # informal standard. Since this depends largely on the OS or the # specific implementation of crypt(3) we only support the (sane) @@ -647,9 +647,9 @@ in { && user.hashedPassword != "" # login without password && builtins.match mcf user.hashedPassword == null) then '' - The password hash of user "${name}" may be invalid. You must set a + The password hash of user "${user.name}" may be invalid. You must set a valid hash or the user will be locked out of their account. Please - check the value of option `users.users."${name}".hashedPassword`.'' + check the value of option `users.users."${user.name}".hashedPassword`.'' else null ));