feat: enforce deterministic user and group ids

2025-10-11 07:10:39 +02:00 · 2023-06-17 23:44:54 +02:00 · 2023-06-17 23:44:54 +02:00 · 9ed52a253c
commit 9ed52a253c
parent b5d2d31b69
4 changed files with 107 additions and 0 deletions
--- a/hosts/common/core/default.nix
+++ b/hosts/common/core/default.nix
@ -12,6 +12,7 @@

    ../../../users/root

+    ../../../modules/deteministic-ids.nix
    ../../../modules/distributed-config.nix
    ../../../modules/extra.nix
    ../../../modules/interface-naming.nix
--- a/hosts/common/core/impermanence.nix
+++ b/hosts/common/core/impermanence.nix
@ -131,6 +131,14 @@
          group = "kanidm";
          mode = "0700";
        }
+      ]
+      ++ lib.optionals config.services.vaultwarden.enable [
+        {
+          directory = "/var/lib/vaultwarden";
+          user = "vaultwarden";
+          group = "vaultwarden";
+          mode = "0700";
+        }
      ];
  };
 }
--- a/hosts/common/core/system.nix
+++ b/hosts/common/core/system.nix
@ -396,4 +396,21 @@

  systemd.enableUnifiedCgroupHierarchy = true;
  users.mutableUsers = false;
+
+  users.deterministicIds = let
+    uidGid = id: {
+      uid = id;
+      gid = id;
+    };
+  in {
+    systemd-oom = uidGid 999;
+    systemd-coredump = uidGid 998;
+    sshd = uidGid 997;
+    nscd = uidGid 996;
+    polkituser = uidGid 995;
+    microvm = uidGid 994;
+    promtail = uidGid 993;
+    grafana = uidGid 992;
+    acme = uidGid 991;
+  };
 }
--- a/modules/deteministic-ids.nix
+++ b/modules/deteministic-ids.nix
@ -0,0 +1,81 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  inherit
+    (lib)
+    concatLists
+    flip
+    mapAttrsToList
+    mkDefault
+    mdDoc
+    mkIf
+    mkMerge
+    mkOption
+    types
+    ;
+
+  cfg = config.users.deterministicIds;
+in {
+  options = {
+    users.deterministicIds = mkOption {
+      default = {};
+      description = mdDoc ''
+        Maps a user or group name to its expected uid/gid values. If a user/group is
+        used on the system without specifying a uid/gid, this module will assign the
+        corresponding ids defined here, or show an error if the definition is missing.
+      '';
+      type = types.attrsOf (types.submodule {
+        options = {
+          uid = mkOption {
+            type = types.nullOr types.int;
+            default = null;
+            description = mdDoc "The uid to assign if it is missing in `users.users.<name>`.";
+          };
+          gid = mkOption {
+            type = types.nullOr types.int;
+            default = null;
+            description = mdDoc "The gid to assign if it is missing in `users.groups.<name>`.";
+          };
+        };
+      });
+    };
+
+    users.users = mkOption {
+      type = types.attrsOf (types.submodule ({name, ...}: {
+        config.uid = let
+          deterministicUid = cfg.${name}.uid or null;
+        in
+          mkIf (deterministicUid != null) (mkDefault deterministicUid);
+      }));
+    };
+
+    users.groups = mkOption {
+      type = types.attrsOf (types.submodule ({name, ...}: {
+        config.gid = let
+          deterministicGid = cfg.${name}.gid or null;
+        in
+          mkIf (deterministicGid != null) (mkDefault deterministicGid);
+      }));
+    };
+  };
+
+  config = {
+    assertions =
+      concatLists (flip mapAttrsToList config.users.users (name: user: [
+        {
+          assertion = user.uid != null;
+          message = "non-deterministic uid detected for '${name}', please assign one via `users.deterministicIds`";
+        }
+        {
+          assertion = !user.autoSubUidGidRange;
+          message = "non-deterministic subUids/subGids detected for: ${name}";
+        }
+      ]))
+      ++ flip mapAttrsToList config.users.groups (name: group: {
+        assertion = group.gid != null;
+        message = "non-deterministic gid detected for '${name}', please assign one via `users.deterministicIds`";
+      });
+  };
+}