nixos/systemd-sysusers: assert against password and hashedPassword

Regardless of mutable or immutable users, systemd-sysupdate never updates existing user records and thus will for example never change passwords for you. It only support initial passwords and now actively asserts agains other paswords.
NixOS · Jul 21, 2024 · 2ca0453 · 2ca0453
1 parent 2710a49
commit 2ca0453
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/nixos/modules/system/boot/systemd/sysusers.nix b/nixos/modules/system/boot/systemd/sysusers.nix
@@ -72,12 +72,19 @@ in
         assertion = config.users.mutableUsers -> config.system.etc.overlay.enable;
         message = "config.users.mutableUsers requires config.system.etc.overlay.enable.";
       }
-    ] ++ lib.mapAttrsToList
-      (username: opts: {
+    ] ++ (lib.mapAttrsToList
+      (_username: opts: {
         assertion = !opts.isNormalUser;
         message = "systemd-sysusers doesn't create normal users. You can currently only use it to create system users.";
       })
-      userCfg.users;
+      userCfg.users)
+    ++ lib.mapAttrsToList
+      (username: opts: {
+        assertion = (opts.password == opts.initialPassword || opts.password == null) &&
+          (opts.hashedPassword == opts.initialHashedPassword || opts.hashedPassword == null);
+        message = "${username} uses password or hashedPassword. systemd-sysupdate only supports initial passwords. It'll never update your passwords.";
+      })
+      systemUsers;
 
     systemd = {