feat: enforce deterministic user and group ids

2025-10-11 07:10:39 +02:00 · 2023-06-17 23:44:54 +02:00 · 2023-06-17 23:44:54 +02:00 · 9ed52a253c
commit 9ed52a253c
parent b5d2d31b69
4 changed files with 107 additions and 0 deletions
--- a/hosts/common/core/default.nix
+++ b/hosts/common/core/default.nix
@ -12,6 +12,7 @@

    ../../../users/root

+    ../../../modules/deteministic-ids.nix
    ../../../modules/distributed-config.nix
    ../../../modules/extra.nix
    ../../../modules/interface-naming.nix
--- a/hosts/common/core/impermanence.nix
+++ b/hosts/common/core/impermanence.nix
@ -131,6 +131,14 @@
          group = "kanidm";
          mode = "0700";
        }
+      ]
+      ++ lib.optionals config.services.vaultwarden.enable [
+        {
+          directory = "/var/lib/vaultwarden";
+          user = "vaultwarden";
+          group = "vaultwarden";
+          mode = "0700";
+        }
      ];
  };
 }
--- a/hosts/common/core/system.nix
+++ b/hosts/common/core/system.nix
@ -396,4 +396,21 @@

  systemd.enableUnifiedCgroupHierarchy = true;
  users.mutableUsers = false;
+
+  users.deterministicIds = let
+    uidGid = id: {
+      uid = id;
+      gid = id;
+    };
+  in {
+    systemd-oom = uidGid 999;
+    systemd-coredump = uidGid 998;
+    sshd = uidGid 997;
+    nscd = uidGid 996;
+    polkituser = uidGid 995;
+    microvm = uidGid 994;
+    promtail = uidGid 993;
+    grafana = uidGid 992;
+    acme = uidGid 991;
+  };
 }