nix/8.nix-darwin
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
8.nix-darwin/modules/users/nixbld/default.nix
Daiderd Jordan 5c3146b75d
users: migrate nixbld -> _nixbld 
According to some investigation creating "role" accounts avoids
migration problems when upgrading to certain macOS versions, so create
the build users to match that definition and remove the old ones if
present.

    Role accounts require name starting with _ and UID in 200-400 range
2021-02-17 22:04:54 +01:00

70 lines
2.1 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.users;
named = xs: listToAttrs (map (x: { name = x.name; value = x; }) xs);
createdGroups = mapAttrsToList (n: v: v.name) cfg.groups;
createdUsers = mapAttrsToList (n: v: v.name) cfg.users;
mkUsers = f: genList (x: f (x + 1)) cfg.nix.nrBuildUsers;
buildUsers = mkUsers (i: {
name = "_nixbld${toString i}";
uid = 300 + i;
gid = 300;
description = "Nix build user ${toString i}";
});
buildGroups = [{
name = "nixbld";
gid = 30000;
description = "Nix build group for nix-daemon";
members = map (v: v.name) buildUsers;
}];
in
{
options = {
users.nix.configureBuildUsers = mkOption {
type = types.bool;
default = false;
description = ''
Configuration for nixbld group and users.
NOTE: This does not work unless knownGroups/knownUsers is set.
'';
};
users.nix.nrBuildUsers = mkOption {
type = mkOptionType {
name = "integer";
check = t: isInt t && t > 1;
};
default = 32;
description = "Number of nixbld user accounts created to perform secure concurrent builds.";
};
};
config = {
assertions = [
{ assertion = elem "nixbld" cfg.knownGroups -> elem "nixbld" createdGroups; message = "refusing to delete group nixbld in users.knownGroups, this would break nix"; }
{ assertion = elem "_nixbld1" cfg.knownUsers -> elem "_nixbld1" createdUsers; message = "refusing to delete user _nixbld1 in users.knownUsers, this would break nix"; }
{ assertion = cfg.groups ? "nixbld" -> cfg.groups.nixbld.members != []; message = "refusing to remove all members from nixbld group, this would break nix"; }
];
users.groups = mkIf cfg.nix.configureBuildUsers (named buildGroups);
users.users = mkIf cfg.nix.configureBuildUsers (named buildUsers);
users.knownGroups = mkIf cfg.nix.configureBuildUsers [ "nixbld" ];
users.knownUsers = mkIf cfg.nix.configureBuildUsers (mkMerge [
(mkUsers (i: "_nixbld${toString i}"))
(mkUsers (i: "nixbld${toString i}")) # delete old style nixbld users
]);
};
}
Reference in a new issue View git blame Copy permalink