diff options
author | midchildan <git@midchildan.org> | 2022-05-08 19:48:29 +0900 |
---|---|---|
committer | midchildan <git@midchildan.org> | 2022-05-15 22:15:11 +0900 |
commit | 2a58907251af76c67c6d14c1e84e73f7eaeb95e8 (patch) | |
tree | db87614ad6b1017a25f76ebb889449009c9eb1d4 | |
parent | 3c8e6248cbb4b400c1b2b79d523e4b02b9a7ca40 (diff) | |
download | nixlib-2a58907251af76c67c6d14c1e84e73f7eaeb95e8.tar nixlib-2a58907251af76c67c6d14c1e84e73f7eaeb95e8.tar.gz nixlib-2a58907251af76c67c6d14c1e84e73f7eaeb95e8.tar.bz2 nixlib-2a58907251af76c67c6d14c1e84e73f7eaeb95e8.tar.lz nixlib-2a58907251af76c67c6d14c1e84e73f7eaeb95e8.tar.xz nixlib-2a58907251af76c67c6d14c1e84e73f7eaeb95e8.tar.zst nixlib-2a58907251af76c67c6d14c1e84e73f7eaeb95e8.zip |
nixos/_1password{,-gui}: use a static gid
-rw-r--r-- | nixos/modules/misc/ids.nix | 21 | ||||
-rw-r--r-- | nixos/modules/programs/_1password-gui.nix | 17 | ||||
-rw-r--r-- | nixos/modules/programs/_1password.nix | 17 |
3 files changed, 35 insertions, 20 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 7d1faa50f4bf..7b0a3ab5c288 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -667,6 +667,27 @@ in # uid. Users and groups with the same name should have equal # uids and gids. Also, don't use gids above 399! + # For exceptional cases where you really need a gid above 399, leave a + # comment stating why. + # + # Also, avoid the following GID ranges: + # + # 1000 - 29999: user accounts (see ../config/update-users-groups.pl) + # 30000 - 31000: nixbld users (the upper limit is arbitrarily chosen) + # 61184 - 65519: systemd DynamicUser (see systemd.exec(5)) + # 65535: the error return sentinel value when uid_t was 16 bits + # + # 100000 - 6653600: subgid allocated for user namespaces + # (see ../config/update-users-groups.pl) + # 4294967294: unauthenticated user in some NFS implementations + # 4294967295: error return sentinel value + # + # References: + # https://www.debian.org/doc/debian-policy/ch-opersys.html#uid-and-gid-classes + + onepassword = 31001; # 1Password requires that its GID be larger than 1000 + onepassword-cli = 31002; # 1Password requires that its GID be larger than 1000 + users = 100; nixbld = 30000; nogroup = 65534; diff --git a/nixos/modules/programs/_1password-gui.nix b/nixos/modules/programs/_1password-gui.nix index 42f6a0b52252..657116c267d9 100644 --- a/nixos/modules/programs/_1password-gui.nix +++ b/nixos/modules/programs/_1password-gui.nix @@ -8,19 +8,16 @@ let in { + imports = [ + (mkRemovedOptionModule [ "programs" "_1password-gui" "gid" ] '' + A preallocated GID will be used instead. + '') + ]; + options = { programs._1password-gui = { enable = mkEnableOption "the 1Password GUI application"; - gid = mkOption { - type = types.addCheck types.int (x: x >= 1000); - example = literalExpression "5000"; - description = '' - The gid to assign to the onepassword group, which is needed for browser integration. - It must be 1000 or greater. - ''; - }; - polkitPolicyOwners = mkOption { type = types.listOf types.str; default = [ ]; @@ -44,7 +41,7 @@ in in mkIf cfg.enable { environment.systemPackages = [ package ]; - users.groups.onepassword.gid = cfg.gid; + users.groups.onepassword.gid = config.ids.gids.onepassword; security.wrappers = { "1Password-BrowserSupport" = { diff --git a/nixos/modules/programs/_1password.nix b/nixos/modules/programs/_1password.nix index 547c12867a91..b87e9b776e85 100644 --- a/nixos/modules/programs/_1password.nix +++ b/nixos/modules/programs/_1password.nix @@ -8,19 +8,16 @@ let in { + imports = [ + (mkRemovedOptionModule [ "programs" "_1password" "gid" ] '' + A preallocated GID will be used instead. + '') + ]; + options = { programs._1password = { enable = mkEnableOption "the 1Password CLI tool"; - gid = mkOption { - type = types.addCheck types.int (x: x >= 1000); - example = literalExpression "5001"; - description = '' - The gid to assign to the onepassword-cli group, which is needed for integration with the 1Password GUI. - It must be 1000 or greater. - ''; - }; - package = mkPackageOption pkgs "1Password CLI" { default = [ "_1password" ]; }; @@ -29,7 +26,7 @@ in config = mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; - users.groups.onepassword-cli.gid = cfg.gid; + users.groups.onepassword-cli.gid = config.ids.gids.onepassword-cli; security.wrappers = { "op" = { |