nixos/_1password{,-gui}: use a static gid

3 files changed, 35 insertions, 20 deletions

diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix
index 7d1faa50f4bf..7b0a3ab5c288 100644
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@@ -667,6 +667,27 @@ in
       # uid. Users and groups with the same name should have equal
       # uids and gids. Also, don't use gids above 399!
 
+      # For exceptional cases where you really need a gid above 399, leave a
+      # comment stating why.
+      #
+      # Also, avoid the following GID ranges:
+      #
+      #  1000 - 29999: user accounts (see ../config/update-users-groups.pl)
+      # 30000 - 31000: nixbld users (the upper limit is arbitrarily chosen)
+      # 61184 - 65519: systemd DynamicUser (see systemd.exec(5))
+      #         65535: the error return sentinel value when uid_t was 16 bits
+      #
+      # 100000 - 6653600: subgid allocated for user namespaces
+      #                   (see ../config/update-users-groups.pl)
+      #       4294967294: unauthenticated user in some NFS implementations
+      #       4294967295: error return sentinel value
+      #
+      # References:
+      # https://www.debian.org/doc/debian-policy/ch-opersys.html#uid-and-gid-classes
+
+      onepassword = 31001; # 1Password requires that its GID be larger than 1000
+      onepassword-cli = 31002; # 1Password requires that its GID be larger than 1000
+
       users = 100;
       nixbld = 30000;
       nogroup = 65534;
diff --git a/nixos/modules/programs/_1password-gui.nix b/nixos/modules/programs/_1password-gui.nix
index 42f6a0b52252..657116c267d9 100644
--- a/nixos/modules/programs/_1password-gui.nix
+++ b/nixos/modules/programs/_1password-gui.nix
@@ -8,19 +8,16 @@ let
 
 in
 {
+  imports = [
+    (mkRemovedOptionModule [ "programs" "_1password-gui" "gid" ] ''
+      A preallocated GID will be used instead.
+    '')
+  ];
+
   options = {
     programs._1password-gui = {
       enable = mkEnableOption "the 1Password GUI application";
 
-      gid = mkOption {
-        type = types.addCheck types.int (x: x >= 1000);
-        example = literalExpression "5000";
-        description = ''
-          The gid to assign to the onepassword group, which is needed for browser integration.
-          It must be 1000 or greater.
-        '';
-      };
-
       polkitPolicyOwners = mkOption {
         type = types.listOf types.str;
         default = [ ];
@@ -44,7 +41,7 @@ in
     in
     mkIf cfg.enable {
       environment.systemPackages = [ package ];
-      users.groups.onepassword.gid = cfg.gid;
+      users.groups.onepassword.gid = config.ids.gids.onepassword;
 
       security.wrappers = {
         "1Password-BrowserSupport" = {
diff --git a/nixos/modules/programs/_1password.nix b/nixos/modules/programs/_1password.nix
index 547c12867a91..b87e9b776e85 100644
--- a/nixos/modules/programs/_1password.nix
+++ b/nixos/modules/programs/_1password.nix
@@ -8,19 +8,16 @@ let
 
 in
 {
+  imports = [
+    (mkRemovedOptionModule [ "programs" "_1password" "gid" ] ''
+      A preallocated GID will be used instead.
+    '')
+  ];
+
   options = {
     programs._1password = {
       enable = mkEnableOption "the 1Password CLI tool";
 
-      gid = mkOption {
-        type = types.addCheck types.int (x: x >= 1000);
-        example = literalExpression "5001";
-        description = ''
-          The gid to assign to the onepassword-cli group, which is needed for integration with the 1Password GUI.
-          It must be 1000 or greater.
-        '';
-      };
-
       package = mkPackageOption pkgs "1Password CLI" {
         default = [ "_1password" ];
       };
@@ -29,7 +26,7 @@ in
 
   config = mkIf cfg.enable {
     environment.systemPackages = [ cfg.package ];
-    users.groups.onepassword-cli.gid = cfg.gid;
+    users.groups.onepassword-cli.gid = config.ids.gids.onepassword-cli;
 
     security.wrappers = {
       "op" = {