nixos/users-groups: rename passwordFile in hashedPasswordFile

This avoids the possible confusion with `passwordFile` being the file
version of `password`, while it should contain the password hash.

Fixes issue #165858.
This commit is contained in:
rnhmjoj 2023-09-08 21:13:31 +02:00
parent ef14cdd5b9
commit 5666a378cb
No known key found for this signature in database
GPG Key ID: BFBAF4C975F76450
2 changed files with 28 additions and 14 deletions

View File

@ -87,6 +87,8 @@
- `getent` has been moved from `glibc`'s `bin` output to its own dedicated output, reducing closure size for many dependents. Dependents using the `getent` alias should not be affected; others should move from using `glibc.bin` or `getBin glibc` to `getent` (which also improves compatibility with non-glibc platforms). - `getent` has been moved from `glibc`'s `bin` output to its own dedicated output, reducing closure size for many dependents. Dependents using the `getent` alias should not be affected; others should move from using `glibc.bin` or `getBin glibc` to `getent` (which also improves compatibility with non-glibc platforms).
- The `users.users.<name>.passwordFile` has been renamed to `users.users.<name>.hashedPasswordFile` to avoid possible confusions. The option is in fact the file-based version of `hashedPassword`, not `password`, and expects a file containing the {manpage}`crypt(3)` hash of the user password.
- The `services.ananicy.extraRules` option now has the type of `listOf attrs` instead of `string`. - The `services.ananicy.extraRules` option now has the type of `listOf attrs` instead of `string`.
- The `matrix-synapse` package & module have undergone some significant internal changes, for most setups no intervention is needed, though: - The `matrix-synapse` package & module have undergone some significant internal changes, for most setups no intervention is needed, though:

View File

@ -18,11 +18,11 @@ let
passwordDescription = '' passwordDescription = ''
The options {option}`hashedPassword`, The options {option}`hashedPassword`,
{option}`password` and {option}`passwordFile` {option}`password` and {option}`hashedPasswordFile`
controls what password is set for the user. controls what password is set for the user.
{option}`hashedPassword` overrides both {option}`hashedPassword` overrides both
{option}`password` and {option}`passwordFile`. {option}`password` and {option}`hashedPasswordFile`.
{option}`password` overrides {option}`passwordFile`. {option}`password` overrides {option}`hashedPasswordFile`.
If none of these three options are set, no password is assigned to If none of these three options are set, no password is assigned to
the user, and the user will not be able to do password logins. the user, and the user will not be able to do password logins.
If the option {option}`users.mutableUsers` is true, the If the option {option}`users.mutableUsers` is true, the
@ -250,18 +250,26 @@ let
''; '';
}; };
passwordFile = mkOption { hashedPasswordFile = mkOption {
type = with types; nullOr str; type = with types; nullOr str;
default = null; default = cfg.users.${name}.passwordFile;
defaultText = literalExpression "null";
description = lib.mdDoc '' description = lib.mdDoc ''
The full path to a file that contains the user's password. The password The full path to a file that contains the hash of the user's
file is read on each system activation. The file should contain password. The password file is read on each system activation. The
exactly one line, which should be the password in an encrypted form file should contain exactly one line, which should be the password in
that is suitable for the `chpasswd -e` command. an encrypted form that is suitable for the `chpasswd -e` command.
${passwordDescription} ${passwordDescription}
''; '';
}; };
passwordFile = mkOption {
type = with types; nullOr (passwdEntry str);
default = null;
visible = false;
description = lib.mdDoc "Deprecated alias of hashedPasswordFile";
};
initialHashedPassword = mkOption { initialHashedPassword = mkOption {
type = with types; nullOr (passwdEntry str); type = with types; nullOr (passwdEntry str);
default = null; default = null;
@ -447,7 +455,7 @@ let
users = mapAttrsToList (_: u: users = mapAttrsToList (_: u:
{ inherit (u) { inherit (u)
name uid group description home homeMode createHome isSystemUser name uid group description home homeMode createHome isSystemUser
password passwordFile hashedPassword password hashedPasswordFile hashedPassword
autoSubUidGidRange subUidRanges subGidRanges autoSubUidGidRange subUidRanges subGidRanges
initialPassword initialHashedPassword expires; initialPassword initialHashedPassword expires;
shell = utils.toShellPath u.shell; shell = utils.toShellPath u.shell;
@ -756,7 +764,7 @@ in {
&& &&
(allowsLogin cfg.hashedPassword (allowsLogin cfg.hashedPassword
|| cfg.password != null || cfg.password != null
|| cfg.passwordFile != null || cfg.hashedPasswordFile != null
|| cfg.openssh.authorizedKeys.keys != [] || cfg.openssh.authorizedKeys.keys != []
|| cfg.openssh.authorizedKeys.keyFiles != []) || cfg.openssh.authorizedKeys.keyFiles != [])
) cfg.users ++ [ ) cfg.users ++ [
@ -845,9 +853,13 @@ in {
The password hash of user "${user.name}" may be invalid. You must set a The password hash of user "${user.name}" may be invalid. You must set a
valid hash or the user will be locked out of their account. Please valid hash or the user will be locked out of their account. Please
check the value of option `users.users."${user.name}".hashedPassword`.'' check the value of option `users.users."${user.name}".hashedPassword`.''
else null else null)
)); ++ flip mapAttrsToList cfg.users (name: user:
if user.passwordFile != null then
''The option `users.users."${name}".passwordFile' has been renamed '' +
''to `users.users."${name}".hashedPasswordFile'.''
else null)
);
}; };
} }