feat: add persistent ids to all users/groups

2026-04-14 13:19:09 +02:00 · 2026-01-12 22:15:57 +01:00 · 2026-01-12 22:15:57 +01:00 · 7f65f74fef
commit 7f65f74fef
parent 37a8e17cc9
62 changed files with 533 additions and 173 deletions
--- a/modules/nixos/server/id.nix
+++ b/modules/nixos/server/id.nix
@ -0,0 +1,103 @@
+{ lib, config, confLib, ... }:
+let
+  inherit (lib)
+    concatLists
+    flip
+    mapAttrsToList
+    mkDefault
+    mkIf
+    mkOption
+    types
+    ;
+
+  cfg = config.users.persistentIds;
+in
+{
+  options = {
+    swarselmodules.server.ids = lib.mkEnableOption "enable persistent ids on server";
+    users.persistentIds = mkOption {
+      default = { };
+      description = ''
+        Maps a user or group name to its expected uid/gid values. If a user/group is
+        used on the system without specifying a uid/gid, this module will assign the
+        corresponding ids defined here, or show an error if the definition is missing.
+      '';
+      type = types.attrsOf (
+        types.submodule {
+          options = {
+            uid = mkOption {
+              type = types.nullOr types.int;
+              default = null;
+              description = "The uid to assign if it is missing in `users.users.<name>`.";
+            };
+            gid = mkOption {
+              type = types.nullOr types.int;
+              default = null;
+              description = "The gid to assign if it is missing in `users.groups.<name>`.";
+            };
+          };
+        }
+      );
+    };
+
+    users.users = mkOption {
+      type = types.attrsOf (
+        types.submodule (
+          { name, ... }:
+          {
+            config.uid =
+              let
+                persistentUid = cfg.${name}.uid or null;
+              in
+              mkIf (persistentUid != null) (mkDefault persistentUid);
+          }
+        )
+      );
+    };
+
+    users.groups = mkOption {
+      type = types.attrsOf (
+        types.submodule (
+          { name, ... }:
+          {
+            config.gid =
+              let
+                persistentGid = cfg.${name}.gid or null;
+              in
+              mkIf (persistentGid != null) (mkDefault persistentGid);
+          }
+        )
+      );
+    };
+  };
+  config = lib.mkIf config.swarselmodules.server.ids {
+    assertions =
+      concatLists
+        (
+          flip mapAttrsToList config.users.users (
+            name: user: [
+              {
+                assertion = user.uid != null;
+                message = "non-persistent uid detected for '${name}', please assign one via `users.persistentIds`";
+              }
+              {
+                assertion = !user.autoSubUidGidRange;
+                message = "non-persistent subUids/subGids detected for: ${name}";
+              }
+            ]
+          )
+        )
+      ++ flip mapAttrsToList config.users.groups (
+        name: group: {
+          assertion = group.gid != null;
+          message = "non-persistent gid detected for '${name}', please assign one via `users.persistentIds`";
+        }
+      );
+    users.persistentIds = {
+      systemd-coredump = confLib.mkIds 998;
+      systemd-oom = confLib.mkIds 997;
+      polkituser = confLib.mkIds 973;
+      nscd = confLib.mkIds 972;
+    };
+  };
+}