nixpkgs-suyu/modules/config/users-groups.nix
Eelco Dolstra 6f8e30313f * The "audio" group should always exist, even if the ALSA module is
disabled, because udev rules refer to it.

svn path=/nixos/trunk/; revision=30229
2011-11-04 17:40:00 +00:00

260 lines
7.4 KiB
Nix

{pkgs, config, ...}:
with pkgs.lib;
let
ids = config.ids;
# User accounts to be created/updated by NixOS.
users =
let
defaultUsers =
[ { name = "root";
uid = ids.uids.root;
description = "System administrator";
home = "/root";
shell = config.users.defaultUserShell;
group = "root";
}
{ name = "nobody";
uid = ids.uids.nobody;
description = "Unprivileged account (don't use!)";
}
];
# !!! Use NixOS module system to add default attributes.
addAttrs =
{ name
, description
, uid ? ""
, group ? "nogroup"
, extraGroups ? []
, home ? "/var/empty"
, shell ? (if useDefaultShell then config.users.defaultUserShell else "/noshell")
, createHome ? false
, useDefaultShell ? false
, password ? null
, isSystemUser ? true
}:
{ inherit name description uid group extraGroups home shell createHome password isSystemUser; };
in map addAttrs (defaultUsers ++ config.users.extraUsers);
# Groups to be created/updated by NixOS.
groups =
let
defaultGroups =
[ { name = "root";
gid = ids.gids.root;
}
{ name = "wheel";
gid = ids.gids.wheel;
}
{ name = "disk";
gid = ids.gids.disk;
}
{ name = "kmem";
gid = ids.gids.kmem;
}
{ name = "tty";
gid = ids.gids.tty;
}
{ name = "floppy";
gid = ids.gids.floppy;
}
{ name = "uucp";
gid = ids.gids.uucp;
}
{ name = "lp";
gid = ids.gids.lp;
}
{ name = "cdrom";
gid = ids.gids.cdrom;
}
{ name = "tape";
gid = ids.gids.tape;
}
{ name = "audio";
gid = ids.gids.audio;
}
{ name = "video";
gid = ids.gids.video;
}
{ name = "dialout";
gid = ids.gids.dialout;
}
{ name = "nogroup";
gid = ids.gids.nogroup;
}
{ name = "users";
gid = ids.gids.users;
}
{ name = "nixbld";
gid = ids.gids.nixbld;
}
{ name = "utmp";
gid = ids.gids.utmp;
}
];
addAttrs =
{ name, gid ? "" }:
{ inherit name gid; };
in map addAttrs (defaultGroups ++ config.users.extraGroups);
# Note: the 'X' in front of the password is to distinguish between
# having an empty password, and not having a password.
serializedUser = u: "${u.name}\n${u.description}\n${toString u.uid}\n${u.group}\n${toString (concatStringsSep "," u.extraGroups)}\n${u.home}\n${u.shell}\n${toString u.createHome}\n${if u.password != null then "X" + u.password else ""}\n${toString u.isSystemUser}\n";
serializedGroup = g: "${g.name}\n${toString g.gid}";
# keep this extra file so that cat can be used to pass special chars such as "`" which is used in the avahi daemon
usersFile = pkgs.writeText "users" (concatStrings (map serializedUser users));
in
{
###### interface
options = {
users.extraUsers = mkOption {
default = [];
example =
[ { name = "alice";
uid = 1234;
description = "Alice";
home = "/home/alice";
createHome = true;
group = "users";
extraGroups = ["wheel"];
shell = "/bin/sh";
password = "foobar";
}
];
description = ''
Additional user accounts to be created automatically by the system.
'';
};
users.extraGroups = mkOption {
default = [];
example =
[ { name = "students";
gid = 1001;
}
];
description = ''
Additional groups to be created automatically by the system.
'';
};
};
###### implementation
config = {
system.activationScripts.rootPasswd = stringAfter [ "etc" ]
''
# If there is no password file yet, create a root account with an
# empty password.
if ! test -e /etc/passwd; then
rootHome=/root
touch /etc/passwd; chmod 0644 /etc/passwd
touch /etc/group; chmod 0644 /etc/group
touch /etc/shadow; chmod 0600 /etc/shadow
# Can't use useradd, since it complains that it doesn't know us
# (bootstrap problem!).
echo "root:x:0:0:System administrator:$rootHome:${config.users.defaultUserShell}" >> /etc/passwd
echo "root::::::::" >> /etc/shadow
fi
'';
system.activationScripts.users = stringAfter [ "groups" ]
''
echo "updating users..."
cat ${usersFile} | while true; do
read name || break
read description
read uid
read group
read extraGroups
read home
read shell
read createHome
read password
read isSystemUser
if ! curEnt=$(getent passwd "$name"); then
useradd ''${isSystemUser:+--system} \
--comment "$description" \
''${uid:+--uid $uid} \
--gid "$group" \
--groups "$extraGroups" \
--home "$home" \
--shell "$shell" \
''${createHome:+--create-home} \
"$name"
if test "''${password:0:1}" = 'X'; then
(echo "''${password:1}"; echo "''${password:1}") | ${pkgs.shadow}/bin/passwd "$name"
fi
else
#echo "updating user $name..."
oldIFS="$IFS"; IFS=:; set -- $curEnt; IFS="$oldIFS"
prevUid=$3
prevHome=$6
# Don't change the UID if it's the same, otherwise usermod
# will complain.
if test "$prevUid" = "$uid"; then unset uid; fi
# Don't change the home directory if it's the same to prevent
# unnecessary warnings about logged in users.
if test "$prevHome" = "$home"; then unset home; fi
usermod \
--comment "$description" \
''${uid:+--uid $uid} \
--gid "$group" \
--groups "$extraGroups" \
''${home:+--home "$home"} \
--shell "$shell" \
"$name"
fi
done
'';
system.activationScripts.groups = stringAfter [ "rootPasswd" "binsh" "etc" "var" ]
''
echo "updating groups..."
while true; do
read name || break
read gid
if ! curEnt=$(getent group "$name"); then
groupadd --system \
''${gid:+--gid $gid} \
"$name"
else
#echo "updating group $name..."
oldIFS="$IFS"; IFS=:; set -- $curEnt; IFS="$oldIFS"
prevGid=$3
if test -n "$gid" -a "$prevGid" != "$gid"; then
groupmod --gid $gid "$name"
fi
fi
done <<EndOfGroupList
${concatStringsSep "\n" (map serializedGroup groups)}
EndOfGroupList
'';
};
}