diff options
author | Sandro <sandro.jaeckel@gmail.com> | 2022-07-17 01:21:42 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-07-17 01:21:42 +0200 |
commit | 769329f5f883f991c3cc6f4eb18737c441e2e747 (patch) | |
tree | 03c59e7e835145d6c2172a3de0badceb37293197 /nixos | |
parent | 6d01ecd13630e1dc2546a564e21cc101ac2b36d2 (diff) | |
parent | 2a58907251af76c67c6d14c1e84e73f7eaeb95e8 (diff) |
Merge pull request #172058 from midchildan/improvement/1pw-gid
nixos/_1password{,-gui}: use a static gid
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/misc/ids.nix | 21 | ||||
-rw-r--r-- | nixos/modules/programs/_1password-gui.nix | 17 | ||||
-rw-r--r-- | nixos/modules/programs/_1password.nix | 17 |
3 files changed, 35 insertions, 20 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 60794cef3627a..e3d7866cabb51 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -667,6 +667,27 @@ in # uid. Users and groups with the same name should have equal # uids and gids. Also, don't use gids above 399! + # For exceptional cases where you really need a gid above 399, leave a + # comment stating why. + # + # Also, avoid the following GID ranges: + # + # 1000 - 29999: user accounts (see ../config/update-users-groups.pl) + # 30000 - 31000: nixbld users (the upper limit is arbitrarily chosen) + # 61184 - 65519: systemd DynamicUser (see systemd.exec(5)) + # 65535: the error return sentinel value when uid_t was 16 bits + # + # 100000 - 6653600: subgid allocated for user namespaces + # (see ../config/update-users-groups.pl) + # 4294967294: unauthenticated user in some NFS implementations + # 4294967295: error return sentinel value + # + # References: + # https://www.debian.org/doc/debian-policy/ch-opersys.html#uid-and-gid-classes + + onepassword = 31001; # 1Password requires that its GID be larger than 1000 + onepassword-cli = 31002; # 1Password requires that its GID be larger than 1000 + users = 100; nixbld = 30000; nogroup = 65534; diff --git a/nixos/modules/programs/_1password-gui.nix b/nixos/modules/programs/_1password-gui.nix index 42f6a0b52252c..657116c267d92 100644 --- a/nixos/modules/programs/_1password-gui.nix +++ b/nixos/modules/programs/_1password-gui.nix @@ -8,19 +8,16 @@ let in { + imports = [ + (mkRemovedOptionModule [ "programs" "_1password-gui" "gid" ] '' + A preallocated GID will be used instead. + '') + ]; + options = { programs._1password-gui = { enable = mkEnableOption "the 1Password GUI application"; - gid = mkOption { - type = types.addCheck types.int (x: x >= 1000); - example = literalExpression "5000"; - description = '' - The gid to assign to the onepassword group, which is needed for browser integration. - It must be 1000 or greater. - ''; - }; - polkitPolicyOwners = mkOption { type = types.listOf types.str; default = [ ]; @@ -44,7 +41,7 @@ in in mkIf cfg.enable { environment.systemPackages = [ package ]; - users.groups.onepassword.gid = cfg.gid; + users.groups.onepassword.gid = config.ids.gids.onepassword; security.wrappers = { "1Password-BrowserSupport" = { diff --git a/nixos/modules/programs/_1password.nix b/nixos/modules/programs/_1password.nix index 547c12867a916..b87e9b776e85b 100644 --- a/nixos/modules/programs/_1password.nix +++ b/nixos/modules/programs/_1password.nix @@ -8,19 +8,16 @@ let in { + imports = [ + (mkRemovedOptionModule [ "programs" "_1password" "gid" ] '' + A preallocated GID will be used instead. + '') + ]; + options = { programs._1password = { enable = mkEnableOption "the 1Password CLI tool"; - gid = mkOption { - type = types.addCheck types.int (x: x >= 1000); - example = literalExpression "5001"; - description = '' - The gid to assign to the onepassword-cli group, which is needed for integration with the 1Password GUI. - It must be 1000 or greater. - ''; - }; - package = mkPackageOption pkgs "1Password CLI" { default = [ "_1password" ]; }; @@ -29,7 +26,7 @@ in config = mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; - users.groups.onepassword-cli.gid = cfg.gid; + users.groups.onepassword-cli.gid = config.ids.gids.onepassword-cli; security.wrappers = { "op" = { |