nixos/users-groups: escape hatch for enabling a shell system-wide

2023-03-31 19:10:19 +00:00 · 2023-03-31 19:10:19 +00:00 · 093f354a17
commit 093f354a17
parent bfbbf80015
2 changed files with 21 additions and 1 deletions
--- a/nixos/doc/manual/release-notes/rl-2311.section.md
+++ b/nixos/doc/manual/release-notes/rl-2311.section.md
@ -26,6 +26,11 @@

 [`sudo-rs`]: https://github.com/memorysafety/sudo-rs/

+- If the user has a custom shell enabled via `users.users.${USERNAME}.shell = ${CUSTOMSHELL}`, the
+  assertion will require them to also set `programs.${CUSTOMSHELL}.enable =
+  true`. This is generally safe behavior, but for anyone needing to opt out from
+  the check `users.users.${USERNAME}.ignoreShellProgramCheck = true` will do the job.
+
 ## New Services {#sec-release-23.11-new-services}

 - [MCHPRS](https://github.com/MCHPR/MCHPRS), a multithreaded Minecraft server built for redstone. Available as [services.mchprs](#opt-services.mchprs.enable).
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@ -172,6 +172,17 @@ let
        '';
      };

+      ignoreShellProgramCheck = mkOption {
+        type = types.bool;
+        default = false;
+        description = lib.mdDoc ''
+          By default, nixos will check that programs.SHELL.enable is set to
+          true if the user has a custom shell specified. If that behavior isn't
+          required and there are custom overrides in place to make sure that the
+          shell is functional, set this to true.
+        '';
+      };
+
      subUidRanges = mkOption {
        type = with types; listOf (submodule subordinateUidRange);
        default = [];
@ -810,13 +821,17 @@ in {
            '';
          }
        ] ++ (map (shell: {
-            assertion = (user.shell == pkgs.${shell}) -> (config.programs.${shell}.enable == true);
+            assertion = !user.ignoreShellProgramCheck -> (user.shell == pkgs.${shell}) -> (config.programs.${shell}.enable == true);
            message = ''
              users.users.${user.name}.shell is set to ${shell}, but
              programs.${shell}.enable is not true. This will cause the ${shell}
              shell to lack the basic nix directories in its PATH and might make
              logging in as that user impossible. You can fix it with:
              programs.${shell}.enable = true;
+
+              If you know what you're doing and you are fine with the behavior,
+              set users.users.${user.name}.ignoreShellProgramCheck = true;
+              instead.
            '';
          }) [
          "fish"