users-groups service: add autoSubUidGidRange option

Previously we allocated subuids automatically for all normal users. Make this explicitly configurable, so that one can use this for system users too (or explicitly disable for normal users). Also don't allocate automatically by default if a user already has ranges specified statically.
2022-01-05 13:20:47 +03:00
parent 95e4f1eff7
commit f2c5970a76
4 changed files with 26 additions and 2 deletions
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@@ -204,6 +204,16 @@ let
        '';
      };

+      autoSubUidGidRange = mkOption {
+        type = types.bool;
+        default = false;
+        example = true;
+        description = ''
+          Automatically allocate subordinate user and group ids for this user.
+          Allocated range is currently always of size 65536.
+        '';
+      };
+
      createHome = mkOption {
        type = types.bool;
        default = false;
@@ -320,6 +330,9 @@ let
        (mkIf (!cfg.mutableUsers && config.initialHashedPassword != null) {
          hashedPassword = mkDefault config.initialHashedPassword;
        })
+        (mkIf (config.isNormalUser && config.subUidRanges == [] && config.subGidRanges == []) {
+          autoSubUidGidRange = mkDefault true;
+        })
      ];

  };
@@ -419,7 +432,7 @@ let
      { inherit (u)
          name uid group description home createHome isSystemUser
          password passwordFile hashedPassword
-          isNormalUser subUidRanges subGidRanges
+          autoSubUidGidRange subUidRanges subGidRanges
          initialPassword initialHashedPassword;
        shell = utils.toShellPath u.shell;
      }) cfg.users;