diff --git a/hosts/carcosa/configuration.nix b/hosts/carcosa/configuration.nix index 3107cf8..736c83c 100644 --- a/hosts/carcosa/configuration.nix +++ b/hosts/carcosa/configuration.nix @@ -333,7 +333,8 @@ in ## Remote Builds ############################################################################### - users.extraUsers.nix-remote-builder = { + users.users.nix-remote-builder = { + uid = 983; home = "/var/lib/nix-remote-builder"; createHome = true; isSystemUser = true; @@ -342,7 +343,7 @@ in openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHFzMpx7QNSAb5tCbkzMRIG62PvBZysflwwCKchFDHtY nix@yuggoth" ]; }; - nix.settings.trusted-users = [ config.users.extraUsers.nix-remote-builder.name ]; + nix.settings.trusted-users = [ config.users.users.nix-remote-builder.name ]; ############################################################################### @@ -361,7 +362,7 @@ in services.prometheus.webExternalUrl = "https://prometheus.carcosa.barrucadu.co.uk"; # Extra packages - users.extraUsers.barrucadu.packages = with pkgs; [ + users.users.barrucadu.packages = with pkgs; [ irssi perl ]; diff --git a/hosts/nyarlathotep/configuration.nix b/hosts/nyarlathotep/configuration.nix index f4ae454..bd2cc95 100644 --- a/hosts/nyarlathotep/configuration.nix +++ b/hosts/nyarlathotep/configuration.nix @@ -181,7 +181,7 @@ in (map (n: nameValuePair n { path = "/mnt/nas/${n}"; writable = "yes"; }) shares); # Guest user for NFS / Samba - users.extraUsers.notbarrucadu = { + users.users.notbarrucadu = { uid = 1001; description = "Guest user"; isNormalUser = true; @@ -499,7 +499,7 @@ in ]; sops.secrets."users/bookdb_remote_sync/ssh_private_key" = { - owner = config.users.extraUsers.bookdb-remote-sync-send.name; + owner = config.users.users.bookdb-remote-sync-send.name; key = "users/remote_sync/ssh_private_key"; }; @@ -511,7 +511,7 @@ in ]; sops.secrets."users/bookmarks_remote_sync/ssh_private_key" = { - owner = config.users.extraUsers.bookmarks-remote-sync-send.name; + owner = config.users.users.bookmarks-remote-sync-send.name; key = "users/remote_sync/ssh_private_key"; }; @@ -519,7 +519,8 @@ in # RSS-to-Mastodon ############################################################################### - users.extraUsers.rss-to-mastodon = { + users.users.rss-to-mastodon = { + uid = 991; home = "/persist/var/lib/rss-to-mastodon"; createHome = true; isSystemUser = true; diff --git a/scripts/lint.sh b/scripts/lint.sh index 9c2c26b..24465c7 100644 --- a/scripts/lint.sh +++ b/scripts/lint.sh @@ -28,6 +28,10 @@ if git grep 'OnCalendar' | grep -vE 'scripts/lint.sh'; then exit 1 fi +if git grep 'users.extraUsers' | grep -vE 'scripts/lint.sh'; then + exit 1 +fi + if git grep 'virtualisation.oci-containers' | grep -vE 'scripts/lint.sh|shared/oci-containers/'; then exit 1 fi diff --git a/shared/bookdb/default.nix b/shared/bookdb/default.nix index ff3536d..8791e3a 100644 --- a/shared/bookdb/default.nix +++ b/shared/bookdb/default.nix @@ -60,6 +60,7 @@ in }; users.users.bookdb = { + uid = 998; description = "bookdb service user"; home = cfg.dataDir; createHome = true; diff --git a/shared/bookdb/remote-sync-receive.nix b/shared/bookdb/remote-sync-receive.nix index a94ac68..4b57951 100644 --- a/shared/bookdb/remote-sync-receive.nix +++ b/shared/bookdb/remote-sync-receive.nix @@ -7,7 +7,8 @@ let in { config = mkIf cfg.enable { - users.extraUsers.bookdb-remote-sync-receive = { + users.users.bookdb-remote-sync-receive = { + uid = 985; home = "/var/lib/bookdb-remote-sync-receive"; createHome = true; isSystemUser = true; @@ -38,9 +39,9 @@ in security.sudo.extraRules = [ { - users = [ config.users.extraUsers.bookdb-remote-sync-receive.name ]; + users = [ config.users.users.bookdb-remote-sync-receive.name ]; commands = [ - { command = "${pkgs.rsync}/bin/rsync -a --delete ${config.users.extraUsers.bookdb-remote-sync-receive.home}/bookdb-covers/ ${config.systemd.services.bookdb.environment.BOOKDB_UPLOADS_DIR}"; options = [ "NOPASSWD" ]; } + { command = "${pkgs.rsync}/bin/rsync -a --delete ${config.users.users.bookdb-remote-sync-receive.home}/bookdb-covers/ ${config.systemd.services.bookdb.environment.BOOKDB_UPLOADS_DIR}"; options = [ "NOPASSWD" ]; } { command = "${pkgs.coreutils}/bin/chown -R ${config.users.users.bookdb.name}.nogroup ${config.systemd.services.bookdb.environment.BOOKDB_UPLOADS_DIR}"; options = [ "NOPASSWD" ]; } ]; } diff --git a/shared/bookdb/remote-sync-send.nix b/shared/bookdb/remote-sync-send.nix index 8e9703b..b6b3e55 100644 --- a/shared/bookdb/remote-sync-send.nix +++ b/shared/bookdb/remote-sync-send.nix @@ -15,11 +15,13 @@ let ExecStart = pkgs.writeShellScript "bookdb-sync" '' set -ex - /run/wrappers/bin/sudo ${pkgs.coreutils}/bin/cp -r ${config.systemd.services.bookdb.environment.BOOKDB_UPLOADS_DIR}/ ~/bookdb-covers - trap "/run/wrappers/bin/sudo ${pkgs.coreutils}/bin/rm -rf ~/bookdb-covers" EXIT + cd $RUNTIME_DIRECTORY + + /run/wrappers/bin/sudo ${pkgs.coreutils}/bin/cp -r ${config.systemd.services.bookdb.environment.BOOKDB_UPLOADS_DIR}/ bookdb-covers + trap "/run/wrappers/bin/sudo ${pkgs.coreutils}/bin/rm -rf bookdb-covers" EXIT rsync -az\ -e "ssh -i $SSH_KEY_FILE -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" \ - ~/bookdb-covers/ \ + bookdb-covers/ \ bookdb-remote-sync-receive@${target}:~/bookdb-covers/ ssh -i "$SSH_KEY_FILE" \ -o UserKnownHostsFile=/dev/null \ @@ -35,7 +37,8 @@ let bookdb-remote-sync-receive@${target} \ receive-elasticsearch ''; - User = config.users.extraUsers.bookdb-remote-sync-send.name; + User = config.users.users.bookdb-remote-sync-send.name; + RuntimeDirectory = "bookdb-sync-${target}"; }; environment = { ES_HOST = config.systemd.services.bookdb.environment.ES_HOST; @@ -46,9 +49,8 @@ let in { config = mkIf cfg.enable { - users.extraUsers.bookdb-remote-sync-send = { - home = "/var/lib/bookdb-remote-sync-send"; - createHome = true; + users.users.bookdb-remote-sync-send = { + uid = 985; isSystemUser = true; shell = pkgs.bashInteractive; group = "nogroup"; @@ -58,10 +60,10 @@ in security.sudo.extraRules = [ { - users = [ config.users.extraUsers.bookdb-remote-sync-send.name ]; + users = [ config.users.users.bookdb-remote-sync-send.name ]; commands = [ - { command = "${pkgs.coreutils}/bin/cp -r ${config.systemd.services.bookdb.environment.BOOKDB_UPLOADS_DIR}/ ${config.users.extraUsers.bookdb-remote-sync-send.home}/bookdb-covers"; options = [ "NOPASSWD" ]; } - { command = "${pkgs.coreutils}/bin/rm -rf ${config.users.extraUsers.bookdb-remote-sync-send.home}/bookdb-covers"; options = [ "NOPASSWD" ]; } + { command = "${pkgs.coreutils}/bin/cp -r ${config.systemd.services.bookdb.environment.BOOKDB_UPLOADS_DIR}/ bookdb-covers"; options = [ "NOPASSWD" ]; } + { command = "${pkgs.coreutils}/bin/rm -rf bookdb-covers"; options = [ "NOPASSWD" ]; } ]; } ]; diff --git a/shared/bookmarks/remote-sync-receive.nix b/shared/bookmarks/remote-sync-receive.nix index 8756133..2fc0982 100644 --- a/shared/bookmarks/remote-sync-receive.nix +++ b/shared/bookmarks/remote-sync-receive.nix @@ -7,7 +7,8 @@ let in { config = mkIf cfg.enable { - users.extraUsers.bookmarks-remote-sync-receive = { + users.users.bookmarks-remote-sync-receive = { + uid = 984; home = "/var/lib/bookmarks-remote-sync-receive"; createHome = true; isSystemUser = true; diff --git a/shared/bookmarks/remote-sync-send.nix b/shared/bookmarks/remote-sync-send.nix index 63e1d7f..d83ed2e 100644 --- a/shared/bookmarks/remote-sync-send.nix +++ b/shared/bookmarks/remote-sync-send.nix @@ -23,7 +23,7 @@ let bookmarks-remote-sync-receive@${target} \ receive-elasticsearch ''; - User = config.users.extraUsers.bookmarks-remote-sync-send.name; + User = config.users.users.bookmarks-remote-sync-send.name; }; environment = { ES_HOST = config.systemd.services.bookmarks.environment.ES_HOST; @@ -34,9 +34,8 @@ let in { config = mkIf cfg.enable { - users.extraUsers.bookmarks-remote-sync-send = { - home = "/var/lib/bookmarks-remote-sync-send"; - createHome = true; + users.users.bookmarks-remote-sync-send = { + uid = 984; isSystemUser = true; shell = pkgs.bashInteractive; group = "nogroup"; diff --git a/shared/default.nix b/shared/default.nix index 68dd458..e9133f8 100644 --- a/shared/default.nix +++ b/shared/default.nix @@ -64,7 +64,7 @@ in systemd.tmpfiles.rules = [ "d /tmp 1777 root root 14d" ] ++ ( let mkTmpDir = n: u: "d ${u.home}/tmp 0700 ${n} ${u.group} 7d"; - in mapAttrsToList mkTmpDir (filterAttrs (_: u: u.isNormalUser) config.users.extraUsers) + in mapAttrsToList mkTmpDir (filterAttrs (_: u: u.isNormalUser) config.users.users) ); # Enable passwd and co. @@ -286,7 +286,7 @@ in programs.zsh.enable = true; - users.extraUsers.barrucadu = { + users.users.barrucadu = { uid = 1000; description = "Michael Walker "; isNormalUser = true; diff --git a/shared/erase-your-darlings/default.nix b/shared/erase-your-darlings/default.nix index b419e01..b58633f 100644 --- a/shared/erase-your-darlings/default.nix +++ b/shared/erase-your-darlings/default.nix @@ -36,8 +36,8 @@ in # Switch back to immutable users users.mutableUsers = mkForce false; - users.extraUsers.barrucadu.initialPassword = mkForce null; - users.extraUsers.barrucadu.hashedPasswordFile = cfg.barrucaduPasswordFile; + users.users.barrucadu.initialPassword = mkForce null; + users.users.barrucadu.hashedPasswordFile = cfg.barrucaduPasswordFile; # Persist state in `cfg.persistDir` services.openssh.hostKeys = [ diff --git a/shared/foundryvtt/default.nix b/shared/foundryvtt/default.nix index c1662ae..48fb065 100644 --- a/shared/foundryvtt/default.nix +++ b/shared/foundryvtt/default.nix @@ -37,6 +37,7 @@ in }; users.users.foundryvtt = { + uid = 994; description = "Foundry VTT service user"; home = cfg.dataDir; createHome = true; diff --git a/shared/host-templates/website-mirror/default.nix b/shared/host-templates/website-mirror/default.nix index 9775a33..f8b5146 100644 --- a/shared/host-templates/website-mirror/default.nix +++ b/shared/host-templates/website-mirror/default.nix @@ -98,6 +98,9 @@ in }; }; + users.users.acme.uid = 986; + users.groups.acme.gid = 989; + ############################################################################### ## Websites @@ -232,7 +235,8 @@ in networking.firewall.allowedTCPPorts = [ 80 443 ]; # Concourse access - users.extraUsers.concourse-deploy-robot = { + users.users.concourse-deploy-robot = { + uid = 997; home = "/var/lib/concourse-deploy-robot"; createHome = true; isSystemUser = true; diff --git a/shared/minecraft/default.nix b/shared/minecraft/default.nix index d04912f..60cae9e 100644 --- a/shared/minecraft/default.nix +++ b/shared/minecraft/default.nix @@ -30,6 +30,7 @@ in config = mkIf cfg.enable { # from https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/games/minecraft-server.nix users.users.minecraft = { + uid = 993; description = "Minecraft server service user"; home = cfg.dataDir; createHome = true; diff --git a/shared/pleroma/default.nix b/shared/pleroma/default.nix index 6fffac4..7a6a1ad 100644 --- a/shared/pleroma/default.nix +++ b/shared/pleroma/default.nix @@ -15,6 +15,9 @@ let backend = config.nixfiles.oci-containers.backend; backendPkg = if backend == "docker" then pkgs.docker else pkgs.podman; dbSocketDir = "/var/run/pleroma/db"; + + pleromaUser = config.services.pleroma.user; + pleromaGroup = config.services.pleroma.group; in { imports = [ @@ -78,6 +81,9 @@ in [ "${toString (pkgs.copyPathToStore cfg.faviconPath)}:/var/lib/pleroma/static/favicon.png" ]; }; + users.users."${pleromaUser}".uid = 989; + users.groups."${pleromaGroup}".gid = 994; + nixfiles.oci-containers.pods.pleroma.containers.db = { image = "postgres:${cfg.postgresTag}"; environment = { @@ -99,7 +105,7 @@ in /run/wrappers/bin/sudo ${backendPkg}/bin/${backend} exec -i pleroma-db pg_dump -U pleroma --no-owner -Fc pleroma > postgres.dump ''; paths = [ - config.users.users.pleroma.home + config.users.users."${pleromaUser}".home "postgres.dump" ]; }; diff --git a/shared/restic-backups/default.nix b/shared/restic-backups/default.nix index 27af485..f9eec4f 100644 --- a/shared/restic-backups/default.nix +++ b/shared/restic-backups/default.nix @@ -120,6 +120,7 @@ in config = mkIf cfg.enable { users.users.backups = { + uid = 999; description = "backup service user"; isSystemUser = true; group = "nogroup";