nixos: define the primary group of users where needed

NixOS · symphorien · Sep 13, 2021 · Aug 8, 2021 · Aug 8, 2021 · Aug 8, 2021
commit bc3bca822a32fbbc73a9d55394991cef92dba3b9
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix
@@ -83,14 +83,14 @@ in
       #fourstore = 42; # dropped in 20.03
       #fourstorehttp = 43; # dropped in 20.03
       virtuoso = 44;
-      rtkit = 45;
+      #rtkit = 45; # dynamically allocated 2021-09-03
       dovecot2 = 46;
       dovenull2 = 47;
       prayer = 49;
       mpd = 50;
       clamav = 51;
       fprot = 52;
-      bind = 53;
+      # bind = 53; #dynamically allocated as of 2021-09-03
       wwwrun = 54;
       #adm = 55; # unused
       spamd = 56;
@@ -134,13 +134,13 @@ in
       firebird = 95;
       #keys = 96; # unused
       #haproxy = 97; # dynamically allocated as of 2020-03-11
-      mongodb = 98;
+      #mongodb = 98; #dynamically allocated as of 2021-09-03
       #openldap = 99; # dynamically allocated as of PR#94610
       #users = 100; # unused
       cgminer = 101;
       munin = 102;
       logcheck = 103;
-      nix-ssh = 104;
+      #nix-ssh = 104; #dynamically allocated as of 2021-09-03
       dictd = 105;
       couchdb = 106;
       #searx = 107; # dynamically allocated as of 2020-10-27
@@ -149,9 +149,9 @@ in
       systemd-journal-gateway = 110;
       #notbit = 111; # unused
       aerospike = 111;
-      ngircd = 112;
+      #ngircd = 112; #dynamically allocated as of 2021-09-03
       #btsync = 113; # unused
-      minecraft = 114;
+      #minecraft = 114; #dynamically allocated as of 2021-09-03
       vault = 115;
       rippled = 116;
       murmur = 117;
@@ -169,19 +169,19 @@ in
       mopidy = 130;
       #docker = 131; # unused
       gdm = 132;
-      dhcpd = 133;
+      #dhcpd = 133; # dynamically allocated as of 2021-09-03
       siproxd = 134;
       mlmmj = 135;
-      neo4j = 136;
+      #neo4j = 136;# dynamically allocated as of 2021-09-03
       riemann = 137;
       riemanndash = 138;
-      radvd = 139;
-      zookeeper = 140;
-      dnsmasq = 141;
+      #radvd = 139;# dynamically allocated as of 2021-09-03
+      #zookeeper = 140;# dynamically allocated as of 2021-09-03
+      #dnsmasq = 141;# dynamically allocated as of 2021-09-03
       #uhub = 142; # unused
       yandexdisk = 143;
       mxisd = 144; # was once collectd
-      consul = 145;
+      #consul = 145;# dynamically allocated as of 2021-09-03
       mailpile = 146;
       redmine = 147;
       #seeks = 148; # removed 2020-06-21
@@ -192,7 +192,7 @@ in
       systemd-resolve = 153;
       systemd-timesync = 154;
       liquidsoap = 155;
-      etcd = 156;
+      #etcd = 156;# dynamically allocated as of 2021-09-03
       hbase = 158;
       opentsdb = 159;
       scollector = 160;
@@ -204,7 +204,7 @@ in
       tox-bootstrapd = 166;
       cadvisor = 167;
       nylon = 168;
-      apache-kafka = 169;
+      #apache-kafka = 169;# dynamically allocated as of 2021-09-03
       #panamax = 170; # unused
       exim = 172;
       #fleet = 173; # unused
@@ -241,7 +241,7 @@ in
       gateone = 207;
       namecoin = 208;
       #lxd = 210; # unused
-      kibana = 211;
+      #kibana = 211;# dynamically allocated as of 2021-09-03
       xtreemfs = 212;
       calibre-server = 213;
       heapster = 214;
@@ -264,22 +264,22 @@ in
       avahi-autoipd = 231;
       nntp-proxy = 232;
       mjpg-streamer = 233;
-      radicale = 234;
+      #radicale = 234;# dynamically allocated as of 2021-09-03
       hydra-queue-runner = 235;
       hydra-www = 236;
       syncthing = 237;
       caddy = 239;
       taskd = 240;
       # factorio = 241; # DynamicUser = true
       # emby = 242; # unusued, removed 2019-05-01
-      graylog = 243;
+      #graylog = 243;# dynamically allocated as of 2021-09-03
       sniproxy = 244;
       nzbget = 245;
       mosquitto = 246;
       toxvpn = 247;
       # squeezelite = 248; # DynamicUser = true
       turnserver = 249;
-      smokeping = 250;
+      #smokeping = 250;# dynamically allocated as of 2021-09-03
       gocd-agent = 251;
       gocd-server = 252;
       terraria = 253;
@@ -553,7 +553,7 @@ in
       #shout = 206; #unused
       gateone = 207;
       namecoin = 208;
-      lxd = 210; # unused
+      #lxd = 210; # unused
       #kibana = 211;
       xtreemfs = 212;
       calibre-server = 213;
@@ -572,7 +572,7 @@ in
       cfdyndns = 227;
       pdnsd = 229;
       octoprint = 230;
-      radicale = 234;
+      #radicale = 234;# dynamically allocated as of 2021-09-03
       syncthing = 237;
       caddy = 239;
       taskd = 240;
@@ -584,7 +584,7 @@ in
       #toxvpn = 247; # unused
       #squeezelite = 248; #unused
       turnserver = 249;
-      smokeping = 250;
+      #smokeping = 250;# dynamically allocated as of 2021-09-03
       gocd-agent = 251;
       gocd-server = 252;
       terraria = 253;

diff --git a/nixos/modules/security/rtkit.nix b/nixos/modules/security/rtkit.nix
@@ -35,9 +35,12 @@ with lib;
     services.dbus.packages = [ pkgs.rtkit ];
 
     users.users.rtkit =
-      { uid = config.ids.uids.rtkit;
+      {
+        isSystemUser = true;
+        group = "rtkit";
         description = "RealtimeKit daemon";
       };
+    users.groups.rtkit = {};
 
   };
 

diff --git a/nixos/modules/services/backup/borgbackup.nix b/nixos/modules/services/backup/borgbackup.nix
@@ -169,6 +169,7 @@ let
         (map (mkAuthorizedKey cfg false) cfg.authorizedKeys
         ++ map (mkAuthorizedKey cfg true) cfg.authorizedKeysAppendOnly);
       useDefaultShell = true;
+      group = cfg.group;
       isSystemUser = true;
     };
     groups.${cfg.group} = { };

diff --git a/nixos/modules/services/databases/influxdb.nix b/nixos/modules/services/databases/influxdb.nix
@@ -185,6 +185,7 @@ in
     users.users = optionalAttrs (cfg.user == "influxdb") {
       influxdb = {
         uid = config.ids.uids.influxdb;
+        group = "influxdb";
         description = "Influxdb daemon user";
       };
     };

diff --git a/nixos/modules/services/databases/memcached.nix b/nixos/modules/services/databases/memcached.nix
@@ -67,7 +67,9 @@ in
     users.users = optionalAttrs (cfg.user == "memcached") {
       memcached.description = "Memcached server user";
       memcached.isSystemUser = true;
+      memcached.group = "memcached";
     };
+    users.groups = optionalAttrs (cfg.user == "memcached") { memcached = {}; };
 
     environment.systemPackages = [ memcached ];
 

diff --git a/nixos/modules/services/databases/mongodb.nix b/nixos/modules/services/databases/mongodb.nix
@@ -123,9 +123,11 @@ in
 
     users.users.mongodb = mkIf (cfg.user == "mongodb")
       { name = "mongodb";
-        uid = config.ids.uids.mongodb;
+        isSystemUser = true;
+        group = "mongodb";
         description = "MongoDB server user";
       };
+    users.groups.mongodb = mkIf (cfg.user == "mongodb") {};
 
     environment.systemPackages = [ mongodb ];
 

diff --git a/nixos/modules/services/databases/neo4j.nix b/nixos/modules/services/databases/neo4j.nix
@@ -651,10 +651,12 @@ in {
       environment.systemPackages = [ cfg.package ];
 
       users.users.neo4j = {
-        uid = config.ids.uids.neo4j;
+        isSystemUser = true;
+        group = "neo4j";
         description = "Neo4j daemon user";
         home = cfg.directories.home;
       };
+      users.groups.neo4j = {};
     };
 
   meta = {

diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix
@@ -246,6 +246,7 @@ in {
 
     users.users.redis = {
       description = "Redis database user";
+      group = "redis";
       isSystemUser = true;
     };
     users.groups.redis = {};

diff --git a/nixos/modules/services/games/minecraft-server.nix b/nixos/modules/services/games/minecraft-server.nix
@@ -167,8 +167,10 @@ in {
       description     = "Minecraft server service user";
       home            = cfg.dataDir;
       createHome      = true;
-      uid             = config.ids.uids.minecraft;
+      isSystemUser    = true;
+      group           = "minecraft";
     };
+    users.groups.minecraft = {};
 
     systemd.services.minecraft-server = {
       description   = "Minecraft Server Service";

diff --git a/nixos/modules/services/logging/graylog.nix b/nixos/modules/services/logging/graylog.nix
@@ -128,10 +128,12 @@ in
 
     users.users = mkIf (cfg.user == "graylog") {
       graylog = {
-        uid = config.ids.uids.graylog;
+        isSystemUser = true;
+        group = "graylog";
         description = "Graylog server daemon user";
       };
     };
+    users.groups = mkIf (cfg.user == "graylog") {};
 
     systemd.tmpfiles.rules = [
       "d '${cfg.messageJournalDir}' - ${cfg.user} - - -"

diff --git a/nixos/modules/services/misc/airsonic.nix b/nixos/modules/services/misc/airsonic.nix
@@ -165,10 +165,12 @@ in {
 
     users.users.airsonic = {
       description = "Airsonic service user";
+      group = "airsonic";
       name = cfg.user;
       home = cfg.home;
       createHome = true;
       isSystemUser = true;
     };
+    users.groups.airsonic = {};
   };
 }
diff --git a/nixos/modules/services/misc/apache-kafka.nix b/nixos/modules/services/misc/apache-kafka.nix
@@ -120,10 +120,12 @@ in {
     environment.systemPackages = [cfg.package];
 
     users.users.apache-kafka = {
-      uid = config.ids.uids.apache-kafka;
+      isSystemUser = true;
+      group = "apache-kafka";
       description = "Apache Kafka daemon user";
       home = head cfg.logDirs;
     };
+    users.groups.apache-kafka = {};
 
     systemd.tmpfiles.rules = map (logDir: "d '${logDir}' 0700 apache-kafka - - -") cfg.logDirs;
 

diff --git a/nixos/modules/services/misc/docker-registry.nix b/nixos/modules/services/misc/docker-registry.nix
@@ -151,7 +151,9 @@ in {
         home = cfg.storagePath;
       }
       else {}) // {
+        group = "docker-registry";
         isSystemUser = true;
       };
+    users.groups.docker-registry = {};
   };
 }
diff --git a/nixos/modules/services/misc/etcd.nix b/nixos/modules/services/misc/etcd.nix
@@ -187,9 +187,11 @@ in {
     environment.systemPackages = [ pkgs.etcd ];
 
     users.users.etcd = {
-      uid = config.ids.uids.etcd;
+      isSystemUser = true;
+      group = "etcd";
       description = "Etcd daemon user";
       home = cfg.dataDir;
     };
+    users.groups.etcd = {};
   };
 }
diff --git a/nixos/modules/services/misc/nix-ssh-serve.nix b/nixos/modules/services/misc/nix-ssh-serve.nix
@@ -38,9 +38,11 @@ in {
 
     users.users.nix-ssh = {
       description = "Nix SSH store user";
-      uid = config.ids.uids.nix-ssh;
+      isSystemUser = true;
+      group = "nix-ssh";
       useDefaultShell = true;
     };
+    users.groups.nix-ssh = {};
 
     services.openssh.enable = true;
 

diff --git a/nixos/modules/services/misc/zookeeper.nix b/nixos/modules/services/misc/zookeeper.nix
@@ -148,9 +148,11 @@ in {
     };
 
     users.users.zookeeper = {
-      uid = config.ids.uids.zookeeper;
+      isSystemUser = true;
+      group = "zookeeper";
       description = "Zookeeper daemon user";
       home = cfg.dataDir;
     };
+    users.groups.zookeeper = {};
   };
 }
diff --git a/nixos/modules/services/monitoring/graphite.nix b/nixos/modules/services/monitoring/graphite.nix
@@ -561,6 +561,7 @@ in {
      ) {
       users.users.graphite = {
         uid = config.ids.uids.graphite;
+        group = "graphite";
         description = "Graphite daemon user";
         home = dataDir;
       };

diff --git a/nixos/modules/services/monitoring/netdata.nix b/nixos/modules/services/monitoring/netdata.nix
@@ -258,6 +258,7 @@ in {
 
     users.users = optionalAttrs (cfg.user == defaultUser) {
       ${defaultUser} = {
+        group = defaultUser;
         isSystemUser = true;
       };
     };

diff --git a/nixos/modules/services/monitoring/tuptime.nix b/nixos/modules/services/monitoring/tuptime.nix
@@ -36,6 +36,7 @@ in {
       groups._tuptime.members = [ "_tuptime" ];
       users._tuptime = {
         isSystemUser = true;
+        group = "_tuptime";
         description = "tuptime database owner";
       };
     };

diff --git a/nixos/modules/services/network-filesystems/orangefs/server.nix b/nixos/modules/services/network-filesystems/orangefs/server.nix
@@ -193,7 +193,10 @@ in {
     environment.systemPackages = [ pkgs.orangefs ];
 
     # orangefs daemon will run as user
-    users.users.orangefs.isSystemUser = true;
+    users.users.orangefs = {
+      isSystemUser = true;
+      group = "orangfs";
+    };
     users.groups.orangefs = {};
 
     # To format the file system the config file is needed.

diff --git a/nixos/modules/services/networking/bind.nix b/nixos/modules/services/networking/bind.nix
@@ -229,9 +229,11 @@ in
 
     users.users.${bindUser} =
       {
-        uid = config.ids.uids.bind;
+        group = bindUser;
         description = "BIND daemon user";
+        isSystemUser = true;
       };
+    users.groups.${bindUser} = {};
 
     systemd.services.bind = {
       description = "BIND Domain Name Server";

diff --git a/nixos/modules/services/networking/consul.nix b/nixos/modules/services/networking/consul.nix
@@ -159,10 +159,12 @@ in
 
       users.users.consul = {
         description = "Consul agent daemon user";
-        uid = config.ids.uids.consul;
+        isSystemUser = true;
+        group = "consul";
         # The shell is needed for health checks
         shell = "/run/current-system/sw/bin/bash";
       };
+      users.groups.consul = {};
 
       environment = {
         etc."consul.json".text = builtins.toJSON configOptions;

diff --git a/nixos/modules/services/networking/coturn.nix b/nixos/modules/services/networking/coturn.nix
@@ -311,6 +311,7 @@ in {
     {
       users.users.turnserver =
         { uid = config.ids.uids.turnserver;
+          group = "turnserver";
           description = "coturn TURN server user";
         };
       users.groups.turnserver =