treewide: Switch to system users

This commit is contained in:
Janne Heß 2019-10-12 22:25:28 +02:00
parent d4f085036b
commit d6c08776ba
48 changed files with 81 additions and 17 deletions

View File

@ -69,6 +69,7 @@ in {
users.users.x2go = { users.users.x2go = {
home = "/var/lib/x2go/db"; home = "/var/lib/x2go/db";
group = "x2go"; group = "x2go";
isSystemUser = true;
}; };
security.wrappers.x2gosqliteWrapper = { security.wrappers.x2gosqliteWrapper = {

View File

@ -89,6 +89,7 @@ in
group = cfg.group; group = cfg.group;
home = cfg.dataDir; home = cfg.dataDir;
createHome = true; createHome = true;
isSystemUser = true;
}; };
systemd.services.oxidized = { systemd.services.oxidized = {

View File

@ -223,6 +223,7 @@ in {
group = "jackaudio"; group = "jackaudio";
extraGroups = [ "audio" ]; extraGroups = [ "audio" ];
description = "JACK Audio system service user"; description = "JACK Audio system service user";
isSystemUser = true;
}; };
# http://jackaudio.org/faq/linux_rt_config.html # http://jackaudio.org/faq/linux_rt_config.html
security.pam.loginLimits = [ security.pam.loginLimits = [

View File

@ -99,7 +99,10 @@ in
environment.systemPackages = [ pkg ]; environment.systemPackages = [ pkg ];
users.users.${user}.group = group; users.users.${user} = {
group = group;
isSystemUser = true;
};
users.groups.${group} = { }; users.groups.${group} = { };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [

View File

@ -106,7 +106,7 @@ let
nameValuePair "borgbackup-job-${name}" (stringAfter [ "users" ] ('' nameValuePair "borgbackup-job-${name}" (stringAfter [ "users" ] (''
# Eensure that the home directory already exists # Eensure that the home directory already exists
# We can't assert createHome == true because that's not the case for root # We can't assert createHome == true because that's not the case for root
cd "${config.users.users.${cfg.user}.home}" cd "${config.users.users.${cfg.user}.home}"
${install} -d .config/borg ${install} -d .config/borg
${install} -d .cache/borg ${install} -d .cache/borg
'' + optionalString (isLocalPath cfg.repo) '' '' + optionalString (isLocalPath cfg.repo) ''

View File

@ -191,6 +191,7 @@ in
createHome = true; createHome = true;
description = "Buildkite agent user"; description = "Buildkite agent user";
extraGroups = [ "keys" ]; extraGroups = [ "keys" ];
isSystemUser = true;
}; };
environment.systemPackages = [ cfg.package ]; environment.systemPackages = [ cfg.package ];

View File

@ -194,7 +194,10 @@ in
allowedTCPPorts = [ cfg.port ]; allowedTCPPorts = [ cfg.port ];
}; };
users.users.redis.description = "Redis database user"; users.users.redis = {
description = "Redis database user";
isSystemUser = true;
};
environment.systemPackages = [ cfg.package ]; environment.systemPackages = [ cfg.package ];

View File

@ -99,6 +99,7 @@ in
users.users.rethinkdb = mkIf (cfg.user == "rethinkdb") users.users.rethinkdb = mkIf (cfg.user == "rethinkdb")
{ name = "rethinkdb"; { name = "rethinkdb";
description = "RethinkDB server user"; description = "RethinkDB server user";
isSystemUser = true;
}; };
users.groups = optionalAttrs (cfg.group == "rethinkdb") (singleton users.groups = optionalAttrs (cfg.group == "rethinkdb") (singleton

View File

@ -115,6 +115,7 @@ in {
{ name = "infinoted"; { name = "infinoted";
description = "Infinoted user"; description = "Infinoted user";
group = cfg.group; group = cfg.group;
isSystemUser = true;
}; };
users.groups = optional (cfg.group == "infinoted") users.groups = optional (cfg.group == "infinoted")
{ name = "infinoted"; { name = "infinoted";

View File

@ -74,6 +74,7 @@ in {
users.users.trezord = { users.users.trezord = {
group = "trezord"; group = "trezord";
description = "Trezor bridge daemon user"; description = "Trezor bridge daemon user";
isSystemUser = true;
}; };
users.groups.trezord = {}; users.groups.trezord = {};

View File

@ -47,6 +47,7 @@ in
name = cfg.user; name = cfg.user;
description = "usbmuxd user"; description = "usbmuxd user";
group = cfg.group; group = cfg.group;
isSystemUser = true;
}; };
users.groups = optional (cfg.group == defaultUserGroup) { users.groups = optional (cfg.group == defaultUserGroup) {

View File

@ -66,6 +66,7 @@ in {
users.users.vdr = { users.users.vdr = {
group = "vdr"; group = "vdr";
home = libDir; home = libDir;
isSystemUser = true;
}; };
users.groups.vdr = {}; users.groups.vdr = {};

View File

@ -27,6 +27,7 @@ in {
users.users.mailhog = { users.users.mailhog = {
name = cfg.user; name = cfg.user;
description = "MailHog service user"; description = "MailHog service user";
isSystemUser = true;
}; };
systemd.services.mailhog = { systemd.services.mailhog = {

View File

@ -148,6 +148,7 @@ in {
name = cfg.user; name = cfg.user;
home = cfg.home; home = cfg.home;
createHome = true; createHome = true;
isSystemUser = true;
}; };
}; };
} }

View File

@ -145,11 +145,13 @@ in {
}; };
users.users.docker-registry = users.users.docker-registry =
if cfg.storagePath != null (if cfg.storagePath != null
then { then {
createHome = true; createHome = true;
home = cfg.storagePath; home = cfg.storagePath;
} }
else {}; else {}) // {
isSystemUser = true;
};
}; };
} }

View File

@ -76,7 +76,10 @@ in {
}; };
config = mkIf (cfg.instances != {}) { config = mkIf (cfg.instances != {}) {
users.users.errbot.group = "errbot"; users.users.errbot = {
group = "errbot";
isSystemUser = true;
};
users.groups.errbot = {}; users.groups.errbot = {};
systemd.services = mapAttrs' (name: instanceCfg: nameValuePair "errbot-${name}" ( systemd.services = mapAttrs' (name: instanceCfg: nameValuePair "errbot-${name}" (

View File

@ -409,6 +409,7 @@ in
home = cfg.stateDir; home = cfg.stateDir;
useDefaultShell = true; useDefaultShell = true;
group = "gitea"; group = "gitea";
isSystemUser = true;
}; };
}; };

View File

@ -71,6 +71,7 @@ in
group = config.users.users.gollum.name; group = config.users.users.gollum.name;
description = "Gollum user"; description = "Gollum user";
createHome = false; createHome = false;
isSystemUser = true;
}; };
users.groups.gollum = { }; users.groups.gollum = { };

View File

@ -41,7 +41,10 @@ in
}; };
users.users = mkIf (cfg.user == "jellyfin") { users.users = mkIf (cfg.user == "jellyfin") {
jellyfin.group = cfg.group; jellyfin = {
group = cfg.group;
isSystemUser = true;
};
}; };
users.groups = mkIf (cfg.group == "jellyfin") { users.groups = mkIf (cfg.group == "jellyfin") {

View File

@ -59,6 +59,7 @@ in
group = config.users.users.osrm.name; group = config.users.users.osrm.name;
description = "OSRM user"; description = "OSRM user";
createHome = false; createHome = false;
isSystemUser = true;
}; };
users.groups.osrm = { }; users.groups.osrm = { };

View File

@ -98,6 +98,7 @@ in {
users.users = optional (cfg.user == "collectd") { users.users = optional (cfg.user == "collectd") {
name = "collectd"; name = "collectd";
isSystemUser = true;
}; };
}; };
} }

View File

@ -49,6 +49,7 @@ in {
users.users = singleton { users.users = singleton {
name = "fusion-inventory"; name = "fusion-inventory";
description = "FusionInventory user"; description = "FusionInventory user";
isSystemUser = true;
}; };
systemd.services.fusion-inventory = { systemd.services.fusion-inventory = {

View File

@ -181,6 +181,7 @@ in {
users.users = optional (cfg.user == defaultUser) { users.users = optional (cfg.user == defaultUser) {
name = defaultUser; name = defaultUser;
isSystemUser = true;
}; };
users.groups = optional (cfg.group == defaultUser) { users.groups = optional (cfg.group == defaultUser) {

View File

@ -131,6 +131,7 @@ in
users.users.${user} = { users.users.${user} = {
description = "Zabbix Agent daemon user"; description = "Zabbix Agent daemon user";
inherit group; inherit group;
isSystemUser = true;
}; };
users.groups.${group} = { }; users.groups.${group} = { };

View File

@ -187,6 +187,7 @@ in {
group = cfg.group; group = cfg.group;
description = "Bitcoin daemon user"; description = "Bitcoin daemon user";
home = cfg.dataDir; home = cfg.dataDir;
isSystemUser = true;
}; };
users.groups.${cfg.group} = { users.groups.${cfg.group} = {
name = cfg.group; name = cfg.group;

View File

@ -84,7 +84,7 @@ in {
config = mkIf config.services.dnscache.enable { config = mkIf config.services.dnscache.enable {
environment.systemPackages = [ pkgs.djbdns ]; environment.systemPackages = [ pkgs.djbdns ];
users.users.dnscache = {}; users.users.dnscache.isSystemUser = true;
systemd.services.dnscache = { systemd.services.dnscache = {
description = "djbdns dnscache server"; description = "djbdns dnscache server";

View File

@ -142,6 +142,7 @@ in {
description = "dnscrypt-wrapper daemon user"; description = "dnscrypt-wrapper daemon user";
home = "${dataDir}"; home = "${dataDir}";
createHome = true; createHome = true;
isSystemUser = true;
}; };
users.groups.dnscrypt-wrapper = { }; users.groups.dnscrypt-wrapper = { };

View File

@ -138,6 +138,7 @@ in
users.users = singleton { users.users = singleton {
name = hansUser; name = hansUser;
description = "Hans daemon user"; description = "Hans daemon user";
isSystemUser = true;
}; };
}; };

View File

@ -95,6 +95,7 @@ in
users.users = optional (cfg.user == "matterbridge") users.users = optional (cfg.user == "matterbridge")
{ name = "matterbridge"; { name = "matterbridge";
group = "matterbridge"; group = "matterbridge";
isSystemUser = true;
}; };
users.groups = optional (cfg.group == "matterbridge") users.groups = optional (cfg.group == "matterbridge")

View File

@ -74,6 +74,7 @@ in
{ description = "Morty user"; { description = "Morty user";
createHome = true; createHome = true;
home = "/var/lib/morty"; home = "/var/lib/morty";
isSystemUser = true;
}; };
systemd.services.morty = systemd.services.morty =

View File

@ -96,6 +96,7 @@ in
users.groups.nghttpx = { }; users.groups.nghttpx = { };
users.users.nghttpx = { users.users.nghttpx = {
group = config.users.groups.nghttpx.name; group = config.users.groups.nghttpx.name;
isSystemUser = true;
}; };

View File

@ -21,6 +21,7 @@ in
name = "owamp"; name = "owamp";
group = "owamp"; group = "owamp";
description = "Owamp daemon"; description = "Owamp daemon";
isSystemUser = true;
}; };
users.groups = singleton { users.groups = singleton {

View File

@ -56,6 +56,7 @@ in {
users.users.thelounge = { users.users.thelounge = {
description = "thelounge service user"; description = "thelounge service user";
group = "thelounge"; group = "thelounge";
isSystemUser = true;
}; };
users.groups.thelounge = {}; users.groups.thelounge = {};
systemd.services.thelounge = { systemd.services.thelounge = {

View File

@ -32,7 +32,7 @@ with lib;
config = mkIf config.services.tinydns.enable { config = mkIf config.services.tinydns.enable {
environment.systemPackages = [ pkgs.djbdns ]; environment.systemPackages = [ pkgs.djbdns ];
users.users.tinydns = {}; users.users.tinydns.isSystemUser = true;
systemd.services.tinydns = { systemd.services.tinydns = {
description = "djbdns tinydns server"; description = "djbdns tinydns server";

View File

@ -93,6 +93,6 @@ in {
}; };
}; };
users.users.${cfg.user} = { }; users.users.${cfg.user}.isSystemUser = true;
}; };
} }

View File

@ -74,7 +74,10 @@ in {
webVaultEnabled = mkDefault true; webVaultEnabled = mkDefault true;
}; };
users.users.bitwarden_rs = { inherit group; }; users.users.bitwarden_rs = {
inherit group;
isSystemUser = true;
};
users.groups.bitwarden_rs = { }; users.groups.bitwarden_rs = { };
systemd.services.bitwarden_rs = { systemd.services.bitwarden_rs = {

View File

@ -546,6 +546,7 @@ in
users.users.oauth2_proxy = { users.users.oauth2_proxy = {
description = "OAuth2 Proxy"; description = "OAuth2 Proxy";
isSystemUser = true;
}; };
systemd.services.oauth2_proxy = { systemd.services.oauth2_proxy = {

View File

@ -171,6 +171,7 @@ in {
users.users.magnetico = { users.users.magnetico = {
description = "Magnetico daemons user"; description = "Magnetico daemons user";
isSystemUser = true;
}; };
systemd.services.magneticod = { systemd.services.magneticod = {

View File

@ -893,6 +893,7 @@ in
extraGroups = cfg.groups; extraGroups = cfg.groups;
home = cfg.workDir; home = cfg.workDir;
createHome = true; createHome = true;
isSystemUser = true;
}; };
systemd.services.codimd = { systemd.services.codimd = {

View File

@ -177,6 +177,7 @@ in
{ name = cfg.user; { name = cfg.user;
group = cfg.group; group = cfg.group;
home = "${cfg.statePath}"; home = "${cfg.statePath}";
isSystemUser = true;
} }
]; ];

View File

@ -277,7 +277,10 @@ in
systemd.services.httpd.after = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service"; systemd.services.httpd.after = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service";
users.users.${user}.group = group; users.users.${user} = {
group = group;
isSystemUser = true;
};
}; };
} }

View File

@ -461,7 +461,10 @@ in
systemd.services.httpd.after = optional (cfg.database.createLocally && cfg.database.type == "mysql") "mysql.service"; systemd.services.httpd.after = optional (cfg.database.createLocally && cfg.database.type == "mysql") "mysql.service";
users.users.${user}.group = group; users.users.${user} = {
group = group;
isSystemUser = true;
};
environment.systemPackages = [ mediawikiScripts ]; environment.systemPackages = [ mediawikiScripts ];
}; };

View File

@ -309,7 +309,9 @@ in
systemd.services.httpd.after = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service"; systemd.services.httpd.after = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service";
users.users.${user}.group = group; users.users.${user} = {
group = group;
isSystemUser = true;
};
}; };
} }

View File

@ -54,6 +54,7 @@ in
home = stateDir; home = stateDir;
createHome = true; createHome = true;
group = mkIf config.virtualisation.libvirtd.enable "libvirtd"; group = mkIf config.virtualisation.libvirtd.enable "libvirtd";
isSystemUser = true;
}; };
systemd.services.virtlyst = { systemd.services.virtlyst = {

View File

@ -367,7 +367,10 @@ in
}) })
]; ];
users.users.${user}.group = group; users.users.${user} = {
group = group;
isSystemUser = true;
};
}; };
} }

View File

@ -102,7 +102,10 @@ with lib;
environment.systemPackages = [ pkgs.hitch ]; environment.systemPackages = [ pkgs.hitch ];
users.users.hitch.group = "hitch"; users.users.hitch = {
group = "hitch";
isSystemUser = true;
};
users.groups.hitch = {}; users.groups.hitch = {};
}; };
} }

View File

@ -117,6 +117,7 @@ in {
group = "traefik"; group = "traefik";
home = cfg.dataDir; home = cfg.dataDir;
createHome = true; createHome = true;
isSystemUser = true;
}; };
users.groups.traefik = {}; users.groups.traefik = {};

View File

@ -116,6 +116,7 @@ in {
users.users = optionalAttrs (cfg.user == "unit") (singleton { users.users = optionalAttrs (cfg.user == "unit") (singleton {
name = "unit"; name = "unit";
group = cfg.group; group = cfg.group;
isSystemUser = true;
}); });
users.groups = optionalAttrs (cfg.group == "unit") (singleton { users.groups = optionalAttrs (cfg.group == "unit") (singleton {