2009-01-02 17:07:01 +01:00
|
|
|
{pkgs, config, ...}:
|
2007-06-08 17:41:12 +02:00
|
|
|
|
2009-09-02 19:35:24 +02:00
|
|
|
with pkgs.lib;
|
2009-01-02 17:07:01 +01:00
|
|
|
|
|
|
|
let
|
2009-09-02 19:35:24 +02:00
|
|
|
|
2009-05-29 16:25:56 +02:00
|
|
|
ids = config.ids;
|
2007-06-08 17:41:12 +02:00
|
|
|
|
2009-09-02 19:35:24 +02:00
|
|
|
|
2007-11-16 14:26:34 +01:00
|
|
|
# User accounts to be created/updated by NixOS.
|
|
|
|
users =
|
2007-06-08 17:41:12 +02:00
|
|
|
let
|
|
|
|
defaultUsers =
|
2009-09-02 19:35:24 +02:00
|
|
|
[ { name = "root";
|
2007-06-08 17:41:12 +02:00
|
|
|
uid = ids.uids.root;
|
|
|
|
description = "System administrator";
|
|
|
|
home = "/root";
|
2009-05-28 14:24:56 +02:00
|
|
|
shell = config.users.defaultUserShell;
|
2007-11-12 15:59:23 +01:00
|
|
|
group = "root";
|
2007-06-08 17:41:12 +02:00
|
|
|
}
|
|
|
|
{ name = "nobody";
|
|
|
|
uid = ids.uids.nobody;
|
|
|
|
description = "Unprivileged account (don't use!)";
|
|
|
|
}
|
|
|
|
];
|
2009-12-13 16:29:42 +01:00
|
|
|
|
2007-06-08 17:41:12 +02:00
|
|
|
makeNixBuildUser = nr:
|
|
|
|
{ name = "nixbld${toString nr}";
|
|
|
|
description = "Nix build user ${toString nr}";
|
2009-12-13 16:29:42 +01:00
|
|
|
|
|
|
|
/* For consistency with the setgid(2), setuid(2), and setgroups(2)
|
|
|
|
calls in `libstore/build.cc', don't add any supplementary group
|
|
|
|
here. */
|
2007-06-08 17:41:12 +02:00
|
|
|
uid = builtins.add ids.uids.nixbld nr;
|
2009-12-13 16:29:42 +01:00
|
|
|
group = "nixbld";
|
|
|
|
extraGroups = [];
|
2007-06-08 17:41:12 +02:00
|
|
|
};
|
2009-12-13 16:29:42 +01:00
|
|
|
|
2007-06-08 17:41:12 +02:00
|
|
|
nixBuildUsers = map makeNixBuildUser (pkgs.lib.range 1 10);
|
|
|
|
|
|
|
|
addAttrs =
|
|
|
|
{ name
|
|
|
|
, description
|
|
|
|
, uid ? ""
|
|
|
|
, group ? "nogroup"
|
|
|
|
, extraGroups ? []
|
|
|
|
, home ? "/var/empty"
|
2009-05-28 14:24:56 +02:00
|
|
|
, shell ? (if useDefaultShell then config.users.defaultUserShell else "/noshell")
|
2007-11-16 14:26:34 +01:00
|
|
|
, createHome ? false
|
|
|
|
, useDefaultShell ? false
|
2009-09-02 19:35:24 +02:00
|
|
|
, password ? null
|
2007-06-08 17:41:12 +02:00
|
|
|
}:
|
2009-09-02 19:35:24 +02:00
|
|
|
{ inherit name description uid group extraGroups home shell createHome password; };
|
2007-06-08 17:41:12 +02:00
|
|
|
|
2008-11-18 19:00:09 +01:00
|
|
|
in map addAttrs (defaultUsers ++ nixBuildUsers ++ config.users.extraUsers);
|
2007-06-08 17:41:12 +02:00
|
|
|
|
|
|
|
|
2007-11-16 14:26:34 +01:00
|
|
|
# Groups to be created/updated by NixOS.
|
|
|
|
groups =
|
2007-06-10 22:13:12 +02:00
|
|
|
let
|
|
|
|
defaultGroups =
|
2009-09-02 19:35:24 +02:00
|
|
|
[ { name = "root";
|
2007-06-10 22:13:12 +02:00
|
|
|
gid = ids.gids.root;
|
|
|
|
}
|
2007-08-16 17:09:06 +02:00
|
|
|
{ name = "wheel";
|
|
|
|
gid = ids.gids.wheel;
|
|
|
|
}
|
2008-07-02 20:03:43 +02:00
|
|
|
{ name = "disk";
|
|
|
|
gid = ids.gids.disk;
|
|
|
|
}
|
|
|
|
{ name = "kmem";
|
|
|
|
gid = ids.gids.kmem;
|
|
|
|
}
|
|
|
|
{ name = "tty";
|
|
|
|
gid = ids.gids.tty;
|
|
|
|
}
|
|
|
|
{ name = "floppy";
|
|
|
|
gid = ids.gids.floppy;
|
|
|
|
}
|
|
|
|
{ name = "uucp";
|
|
|
|
gid = ids.gids.uucp;
|
|
|
|
}
|
|
|
|
{ name = "lp";
|
|
|
|
gid = ids.gids.lp;
|
|
|
|
}
|
2009-08-11 11:17:30 +02:00
|
|
|
{ name = "cdrom";
|
|
|
|
gid = ids.gids.cdrom;
|
|
|
|
}
|
|
|
|
{ name = "tape";
|
|
|
|
gid = ids.gids.tape;
|
|
|
|
}
|
|
|
|
{ name = "video";
|
|
|
|
gid = ids.gids.video;
|
|
|
|
}
|
|
|
|
{ name = "dialout";
|
|
|
|
gid = ids.gids.dialout;
|
|
|
|
}
|
2007-06-10 22:13:12 +02:00
|
|
|
{ name = "nogroup";
|
|
|
|
gid = ids.gids.nogroup;
|
|
|
|
}
|
|
|
|
{ name = "users";
|
|
|
|
gid = ids.gids.users;
|
|
|
|
}
|
|
|
|
{ name = "nixbld";
|
|
|
|
gid = ids.gids.nixbld;
|
|
|
|
}
|
|
|
|
];
|
|
|
|
|
|
|
|
addAttrs =
|
|
|
|
{ name, gid ? "" }:
|
|
|
|
{ inherit name gid; };
|
|
|
|
|
2008-11-18 19:00:09 +01:00
|
|
|
in map addAttrs (defaultGroups ++ config.users.extraGroups);
|
2007-06-08 17:41:12 +02:00
|
|
|
|
2009-01-02 17:07:01 +01:00
|
|
|
|
2009-09-02 19:35:24 +02:00
|
|
|
# Note: the 'X' in front of the password is to distinguish between
|
|
|
|
# having an empty password, and not having a password.
|
|
|
|
serializedUser = u: "${u.name}\n${u.description}\n${toString u.uid}\n${u.group}\n${toString (concatStringsSep "," u.extraGroups)}\n${u.home}\n${u.shell}\n${toString u.createHome}\n${if u.password != null then "X" + u.password else ""}\n";
|
2009-01-02 17:07:01 +01:00
|
|
|
serializedGroup = g: "${g.name}\n${toString g.gid}";
|
2009-09-02 19:35:24 +02:00
|
|
|
|
2009-03-06 13:26:16 +01:00
|
|
|
# keep this extra file so that cat can be used to pass special chars such as "`" which is used in the avahi daemon
|
2009-09-02 19:35:24 +02:00
|
|
|
usersFile = pkgs.writeText "users" (concatStrings (map serializedUser users));
|
|
|
|
|
2009-01-02 17:07:01 +01:00
|
|
|
in
|
|
|
|
|
|
|
|
{
|
|
|
|
|
2009-09-02 19:35:24 +02:00
|
|
|
###### interface
|
2009-01-02 17:07:01 +01:00
|
|
|
|
2009-09-02 19:35:24 +02:00
|
|
|
options = {
|
|
|
|
|
|
|
|
users.extraUsers = mkOption {
|
|
|
|
default = [];
|
|
|
|
example =
|
|
|
|
[ { name = "alice";
|
|
|
|
uid = 1234;
|
|
|
|
description = "Alice";
|
|
|
|
home = "/home/alice";
|
|
|
|
createHome = true;
|
|
|
|
group = "users";
|
|
|
|
extraGroups = ["wheel"];
|
|
|
|
shell = "/bin/sh";
|
|
|
|
password = "foobar";
|
|
|
|
}
|
|
|
|
];
|
|
|
|
description = ''
|
|
|
|
Additional user accounts to be created automatically by the system.
|
|
|
|
'';
|
|
|
|
};
|
2009-01-02 17:07:01 +01:00
|
|
|
|
2009-09-02 19:35:24 +02:00
|
|
|
users.extraGroups = mkOption {
|
|
|
|
default = [];
|
|
|
|
example =
|
|
|
|
[ { name = "students";
|
|
|
|
gid = 1001;
|
|
|
|
}
|
|
|
|
];
|
|
|
|
description = ''
|
|
|
|
Additional groups to be created automatically by the system.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
###### implementation
|
|
|
|
|
|
|
|
config = {
|
|
|
|
|
|
|
|
system.activationScripts.users = fullDepEntry
|
|
|
|
''
|
2009-03-06 13:26:16 +01:00
|
|
|
cat ${usersFile} | while true; do
|
2009-01-02 17:07:01 +01:00
|
|
|
read name || break
|
|
|
|
read description
|
|
|
|
read uid
|
|
|
|
read group
|
|
|
|
read extraGroups
|
|
|
|
read home
|
|
|
|
read shell
|
|
|
|
read createHome
|
2009-09-02 19:35:24 +02:00
|
|
|
read password
|
2009-01-02 17:07:01 +01:00
|
|
|
|
|
|
|
if ! curEnt=$(getent passwd "$name"); then
|
|
|
|
echo "creating user $name..."
|
|
|
|
useradd --system \
|
|
|
|
"$name" \
|
|
|
|
--comment "$description" \
|
|
|
|
''${uid:+--uid $uid} \
|
|
|
|
--gid "$group" \
|
|
|
|
--groups "$extraGroups" \
|
|
|
|
--home "$home" \
|
|
|
|
--shell "$shell" \
|
|
|
|
''${createHome:+--create-home}
|
2009-09-02 19:35:24 +02:00
|
|
|
if test "''${password:0:1}" = 'X'; then
|
|
|
|
echo "''${password:1}" | ${pkgs.pwdutils}/bin/passwd --stdin "$name"
|
|
|
|
fi
|
2009-01-02 17:07:01 +01:00
|
|
|
else
|
|
|
|
#echo "updating user $name..."
|
|
|
|
oldIFS="$IFS"; IFS=:; set -- $curEnt; IFS="$oldIFS"
|
|
|
|
prevUid=$3
|
|
|
|
prevHome=$6
|
|
|
|
# Don't change the UID if it's the same, otherwise usermod
|
|
|
|
# will complain.
|
|
|
|
if test "$prevUid" = "$uid"; then unset uid; fi
|
|
|
|
# Don't change the home directory if it's the same to prevent
|
|
|
|
# unnecessary warnings about logged in users.
|
|
|
|
if test "$prevHome" = "$home"; then unset home; fi
|
|
|
|
usermod \
|
|
|
|
"$name" \
|
|
|
|
--comment "$description" \
|
|
|
|
''${uid:+--uid $uid} \
|
|
|
|
--gid "$group" \
|
|
|
|
--groups "$extraGroups" \
|
|
|
|
''${home:+--home "$home"} \
|
|
|
|
--shell "$shell"
|
2009-12-13 16:29:42 +01:00
|
|
|
if test -z "$extraGroups"
|
|
|
|
then
|
|
|
|
# Make sure the user is listed as belonging to its
|
|
|
|
# primary group when it has no supplementary groups. The
|
|
|
|
# main reason is to have the `nixbld[0-9]' users be
|
|
|
|
# listed as `nixbld' members; this allows `nix-store' to
|
|
|
|
# get the UIDs of all the build users by doing a
|
|
|
|
# getprnam("nixbld") call.
|
|
|
|
groupmod "$group" -A "$name"
|
|
|
|
fi
|
2009-01-02 17:07:01 +01:00
|
|
|
fi
|
2009-09-02 19:35:24 +02:00
|
|
|
|
2009-03-06 13:26:16 +01:00
|
|
|
done
|
2009-05-20 03:35:46 +02:00
|
|
|
'' [ "groups" ];
|
2009-01-02 17:07:01 +01:00
|
|
|
|
2009-09-02 19:35:24 +02:00
|
|
|
system.activationScripts.groups = fullDepEntry
|
|
|
|
''
|
2009-01-02 17:07:01 +01:00
|
|
|
while true; do
|
|
|
|
read name || break
|
|
|
|
read gid
|
|
|
|
|
|
|
|
if ! curEnt=$(getent group "$name"); then
|
|
|
|
echo "creating group $name..."
|
|
|
|
groupadd --system \
|
|
|
|
"$name" \
|
|
|
|
''${gid:+--gid $gid}
|
|
|
|
else
|
|
|
|
#echo "updating group $name..."
|
|
|
|
oldIFS="$IFS"; IFS=:; set -- $curEnt; IFS="$oldIFS"
|
|
|
|
prevGid=$3
|
|
|
|
if test -n "$gid" -a "$prevGid" != "$gid"; then
|
|
|
|
groupmod "$name" --gid $gid
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done <<EndOfGroupList
|
|
|
|
${concatStringsSep "\n" (map serializedGroup groups)}
|
|
|
|
EndOfGroupList
|
2009-05-20 03:35:46 +02:00
|
|
|
'' [ "rootPasswd" "binsh" "etc" "var" ];
|
2007-06-08 17:41:12 +02:00
|
|
|
|
2009-01-02 17:07:01 +01:00
|
|
|
};
|
2009-09-02 19:35:24 +02:00
|
|
|
|
2007-11-09 19:49:45 +01:00
|
|
|
}
|