Merge pull request #321 from barrucadu/fix-user-ids

Fix user IDs getting changed on reboot

hosts/carcosa/configuration.nix

@@ -333,7 +333,8 @@ in
   ## Remote Builds
   ###############################################################################
 
-  users.extraUsers.nix-remote-builder = {
+  users.users.nix-remote-builder = {
+    uid = 983;
     home = "/var/lib/nix-remote-builder";
     createHome = true;
     isSystemUser = true;
@@ -342,7 +343,7 @@ in
     openssh.authorizedKeys.keys =
       [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHFzMpx7QNSAb5tCbkzMRIG62PvBZysflwwCKchFDHtY nix@yuggoth" ];
   };
-  nix.settings.trusted-users = [ config.users.extraUsers.nix-remote-builder.name ];
+  nix.settings.trusted-users = [ config.users.users.nix-remote-builder.name ];
 
 
   ###############################################################################
@@ -361,7 +362,7 @@ in
   services.prometheus.webExternalUrl = "https://prometheus.carcosa.barrucadu.co.uk";
 
   # Extra packages
-  users.extraUsers.barrucadu.packages = with pkgs; [
+  users.users.barrucadu.packages = with pkgs; [
     irssi
     perl
   ];

hosts/nyarlathotep/configuration.nix

@@ -181,7 +181,7 @@ in
     (map (n: nameValuePair n { path = "/mnt/nas/${n}"; writable = "yes"; }) shares);
 
   # Guest user for NFS / Samba
-  users.extraUsers.notbarrucadu = {
+  users.users.notbarrucadu = {
     uid = 1001;
     description = "Guest user";
     isNormalUser = true;
@@ -499,7 +499,7 @@ in
   ];
 
   sops.secrets."users/bookdb_remote_sync/ssh_private_key" = {
-    owner = config.users.extraUsers.bookdb-remote-sync-send.name;
+    owner = config.users.users.bookdb-remote-sync-send.name;
     key = "users/remote_sync/ssh_private_key";
   };
 
@@ -511,15 +511,16 @@ in
   ];
 
   sops.secrets."users/bookmarks_remote_sync/ssh_private_key" = {
-    owner = config.users.extraUsers.bookmarks-remote-sync-send.name;
+    owner = config.users.users.bookmarks-remote-sync-send.name;
     key = "users/remote_sync/ssh_private_key";
   };
 
   ###############################################################################
   # RSS-to-Mastodon
   ###############################################################################
 
-  users.extraUsers.rss-to-mastodon = {
+  users.users.rss-to-mastodon = {
+    uid = 991;
     home = "/persist/var/lib/rss-to-mastodon";
     createHome = true;
     isSystemUser = true;

scripts/lint.sh

@@ -28,6 +28,10 @@ if git grep 'OnCalendar' | grep -vE 'scripts/lint.sh'; then
     exit 1
 fi
 
+if git grep 'users.extraUsers' | grep -vE 'scripts/lint.sh'; then
+    exit 1
+fi
+
 if git grep 'virtualisation.oci-containers' | grep -vE 'scripts/lint.sh|shared/oci-containers/'; then
     exit 1
 fi

shared/bookdb/default.nix

@@ -60,6 +60,7 @@ in
     };
 
     users.users.bookdb = {
+      uid = 998;
       description = "bookdb service user";
       home = cfg.dataDir;
       createHome = true;

shared/bookdb/remote-sync-receive.nix

@@ -7,7 +7,8 @@ let
 in
 {
   config = mkIf cfg.enable {
-    users.extraUsers.bookdb-remote-sync-receive = {
+    users.users.bookdb-remote-sync-receive = {
+      uid = 985;
       home = "/var/lib/bookdb-remote-sync-receive";
       createHome = true;
       isSystemUser = true;
@@ -38,9 +39,9 @@ in
 
     security.sudo.extraRules = [
       {
-        users = [ config.users.extraUsers.bookdb-remote-sync-receive.name ];
+        users = [ config.users.users.bookdb-remote-sync-receive.name ];
         commands = [
-          { command = "${pkgs.rsync}/bin/rsync -a --delete ${config.users.extraUsers.bookdb-remote-sync-receive.home}/bookdb-covers/ ${config.systemd.services.bookdb.environment.BOOKDB_UPLOADS_DIR}"; options = [ "NOPASSWD" ]; }
+          { command = "${pkgs.rsync}/bin/rsync -a --delete ${config.users.users.bookdb-remote-sync-receive.home}/bookdb-covers/ ${config.systemd.services.bookdb.environment.BOOKDB_UPLOADS_DIR}"; options = [ "NOPASSWD" ]; }
           { command = "${pkgs.coreutils}/bin/chown -R ${config.users.users.bookdb.name}.nogroup ${config.systemd.services.bookdb.environment.BOOKDB_UPLOADS_DIR}"; options = [ "NOPASSWD" ]; }
         ];
       }

shared/bookdb/remote-sync-send.nix

@@ -15,11 +15,13 @@ let
         ExecStart = pkgs.writeShellScript "bookdb-sync" ''
           set -ex
 
-          /run/wrappers/bin/sudo ${pkgs.coreutils}/bin/cp -r ${config.systemd.services.bookdb.environment.BOOKDB_UPLOADS_DIR}/ ~/bookdb-covers
-          trap "/run/wrappers/bin/sudo ${pkgs.coreutils}/bin/rm -rf ~/bookdb-covers" EXIT
+          cd $RUNTIME_DIRECTORY
+
+          /run/wrappers/bin/sudo ${pkgs.coreutils}/bin/cp -r ${config.systemd.services.bookdb.environment.BOOKDB_UPLOADS_DIR}/ bookdb-covers
+          trap "/run/wrappers/bin/sudo ${pkgs.coreutils}/bin/rm -rf bookdb-covers" EXIT
           rsync -az\
                 -e "ssh -i $SSH_KEY_FILE -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" \
-                ~/bookdb-covers/ \
+                bookdb-covers/ \
                 bookdb-remote-sync-receive@${target}:~/bookdb-covers/
           ssh -i "$SSH_KEY_FILE" \
               -o UserKnownHostsFile=/dev/null \
@@ -35,7 +37,8 @@ let
               bookdb-remote-sync-receive@${target} \
               receive-elasticsearch
         '';
-        User = config.users.extraUsers.bookdb-remote-sync-send.name;
+        User = config.users.users.bookdb-remote-sync-send.name;
+        RuntimeDirectory = "bookdb-sync-${target}";
       };
       environment = {
         ES_HOST = config.systemd.services.bookdb.environment.ES_HOST;
@@ -46,9 +49,8 @@ let
 in
 {
   config = mkIf cfg.enable {
-    users.extraUsers.bookdb-remote-sync-send = {
-      home = "/var/lib/bookdb-remote-sync-send";
-      createHome = true;
+    users.users.bookdb-remote-sync-send = {
+      uid = 985;
       isSystemUser = true;
       shell = pkgs.bashInteractive;
       group = "nogroup";
@@ -58,10 +60,10 @@ in
 
     security.sudo.extraRules = [
       {
-        users = [ config.users.extraUsers.bookdb-remote-sync-send.name ];
+        users = [ config.users.users.bookdb-remote-sync-send.name ];
         commands = [
-          { command = "${pkgs.coreutils}/bin/cp -r ${config.systemd.services.bookdb.environment.BOOKDB_UPLOADS_DIR}/ ${config.users.extraUsers.bookdb-remote-sync-send.home}/bookdb-covers"; options = [ "NOPASSWD" ]; }
-          { command = "${pkgs.coreutils}/bin/rm -rf ${config.users.extraUsers.bookdb-remote-sync-send.home}/bookdb-covers"; options = [ "NOPASSWD" ]; }
+          { command = "${pkgs.coreutils}/bin/cp -r ${config.systemd.services.bookdb.environment.BOOKDB_UPLOADS_DIR}/ bookdb-covers"; options = [ "NOPASSWD" ]; }
+          { command = "${pkgs.coreutils}/bin/rm -rf bookdb-covers"; options = [ "NOPASSWD" ]; }
         ];
       }
     ];

shared/bookmarks/remote-sync-receive.nix

@@ -7,7 +7,8 @@ let
 in
 {
   config = mkIf cfg.enable {
-    users.extraUsers.bookmarks-remote-sync-receive = {
+    users.users.bookmarks-remote-sync-receive = {
+      uid = 984;
       home = "/var/lib/bookmarks-remote-sync-receive";
       createHome = true;
       isSystemUser = true;

shared/bookmarks/remote-sync-send.nix

@@ -23,7 +23,7 @@ let
               bookmarks-remote-sync-receive@${target} \
               receive-elasticsearch
         '';
-        User = config.users.extraUsers.bookmarks-remote-sync-send.name;
+        User = config.users.users.bookmarks-remote-sync-send.name;
       };
       environment = {
         ES_HOST = config.systemd.services.bookmarks.environment.ES_HOST;
@@ -34,9 +34,8 @@ let
 in
 {
   config = mkIf cfg.enable {
-    users.extraUsers.bookmarks-remote-sync-send = {
-      home = "/var/lib/bookmarks-remote-sync-send";
-      createHome = true;
+    users.users.bookmarks-remote-sync-send = {
+      uid = 984;
       isSystemUser = true;
       shell = pkgs.bashInteractive;
       group = "nogroup";

shared/default.nix

@@ -64,7 +64,7 @@ in
     systemd.tmpfiles.rules = [ "d /tmp 1777 root root 14d" ] ++
       (
         let mkTmpDir = n: u: "d ${u.home}/tmp 0700 ${n} ${u.group} 7d";
-        in mapAttrsToList mkTmpDir (filterAttrs (_: u: u.isNormalUser) config.users.extraUsers)
+        in mapAttrsToList mkTmpDir (filterAttrs (_: u: u.isNormalUser) config.users.users)
       );
 
     # Enable passwd and co.
@@ -286,7 +286,7 @@ in
 
     programs.zsh.enable = true;
 
-    users.extraUsers.barrucadu = {
+    users.users.barrucadu = {
       uid = 1000;
       description = "Michael Walker <[email protected]>";
       isNormalUser = true;

shared/erase-your-darlings/default.nix

@@ -36,8 +36,8 @@ in
 
     # Switch back to immutable users
     users.mutableUsers = mkForce false;
-    users.extraUsers.barrucadu.initialPassword = mkForce null;
-    users.extraUsers.barrucadu.hashedPasswordFile = cfg.barrucaduPasswordFile;
+    users.users.barrucadu.initialPassword = mkForce null;
+    users.users.barrucadu.hashedPasswordFile = cfg.barrucaduPasswordFile;
 
     # Persist state in `cfg.persistDir`
     services.openssh.hostKeys = [

shared/foundryvtt/default.nix

@@ -37,6 +37,7 @@ in
     };
 
     users.users.foundryvtt = {
+      uid = 994;
       description = "Foundry VTT service user";
       home = cfg.dataDir;
       createHome = true;

shared/host-templates/website-mirror/default.nix

@@ -98,6 +98,9 @@ in
       };
     };
 
+    users.users.acme.uid = 986;
+    users.groups.acme.gid = 989;
+
 
     ###############################################################################
     ## Websites
@@ -232,7 +235,8 @@ in
     networking.firewall.allowedTCPPorts = [ 80 443 ];
 
     # Concourse access
-    users.extraUsers.concourse-deploy-robot = {
+    users.users.concourse-deploy-robot = {
+      uid = 997;
       home = "/var/lib/concourse-deploy-robot";
       createHome = true;
       isSystemUser = true;

shared/minecraft/default.nix

@@ -30,6 +30,7 @@ in
   config = mkIf cfg.enable {
     # from https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/games/minecraft-server.nix
     users.users.minecraft = {
+      uid = 993;
       description = "Minecraft server service user";
       home = cfg.dataDir;
       createHome = true;

shared/pleroma/default.nix

@@ -15,6 +15,9 @@ let
   backend = config.nixfiles.oci-containers.backend;
   backendPkg = if backend == "docker" then pkgs.docker else pkgs.podman;
   dbSocketDir = "/var/run/pleroma/db";
+
+  pleromaUser = config.services.pleroma.user;
+  pleromaGroup = config.services.pleroma.group;
 in
 {
   imports = [
@@ -78,6 +81,9 @@ in
         [ "${toString (pkgs.copyPathToStore cfg.faviconPath)}:/var/lib/pleroma/static/favicon.png" ];
     };
 
+    users.users."${pleromaUser}".uid = 989;
+    users.groups."${pleromaGroup}".gid = 994;
+
     nixfiles.oci-containers.pods.pleroma.containers.db = {
       image = "postgres:${cfg.postgresTag}";
       environment = {
@@ -99,7 +105,7 @@ in
         /run/wrappers/bin/sudo ${backendPkg}/bin/${backend} exec -i pleroma-db pg_dump -U pleroma --no-owner -Fc pleroma > postgres.dump
       '';
       paths = [
-        config.users.users.pleroma.home
+        config.users.users."${pleromaUser}".home
         "postgres.dump"
       ];
     };

shared/restic-backups/default.nix

@@ -120,6 +120,7 @@ in
 
   config = mkIf cfg.enable {
     users.users.backups = {
+      uid = 999;
       description = "backup service user";
       isSystemUser = true;
       group = "nogroup";