nixos/users-groups: dump values of password options if multiple options have definitions
This was suggested since it might make it a little easier to identify the places where the definitions come from. Retrieving the effective definitions from the module-system seems non-trivial, especially for submodules though, hence only the values are shown for now. I'd argue that especially the `password` option are mostly a convenience thing for test setups. If the password is an actual secret, it should be treated as such, i.e. `hashedPasswordFile` should be used. For the `shadow` VM test, the new section of the warning looks like this: The values of these options are: * users.users."leo".hashedPassword: "$6$ymzs8WINZ5wGwQcV$VC2S0cQiX8NVukOLymysTPn4v1zJoJp3NGyhnqyv/dAf4NWZsBWYveQcj6gEJr4ZUjRBRjM0Pj1L8TCQ8hUUp0" * users.users."leo".hashedPasswordFile: null * users.users."leo".password: null * users.users."leo".initialHashedPassword: "!" * users.users."leo".initialPassword: null
This commit is contained in:
parent
1b42d28618
commit
7cb22a0acb
@ -6,6 +6,7 @@ let
|
||||
attrNames
|
||||
attrValues
|
||||
concatMap
|
||||
concatMapStringsSep
|
||||
concatStrings
|
||||
elem
|
||||
filter
|
||||
@ -13,6 +14,7 @@ let
|
||||
flatten
|
||||
flip
|
||||
foldr
|
||||
generators
|
||||
getAttr
|
||||
hasAttr
|
||||
id
|
||||
@ -944,16 +946,18 @@ in {
|
||||
|
||||
warnings =
|
||||
flip concatMap (attrValues cfg.users) (user: let
|
||||
unambiguousPasswordConfiguration = 1 >= length (filter (x: x != null) ([
|
||||
user.hashedPassword
|
||||
user.hashedPasswordFile
|
||||
user.password
|
||||
passwordOptions = [
|
||||
"hashedPassword"
|
||||
"hashedPasswordFile"
|
||||
"password"
|
||||
] ++ optionals cfg.mutableUsers [
|
||||
# For immutable users, initialHashedPassword is set to hashedPassword,
|
||||
# so using these options would always trigger the assertion.
|
||||
user.initialHashedPassword
|
||||
user.initialPassword
|
||||
]));
|
||||
"initialHashedPassword"
|
||||
"initialPassword"
|
||||
];
|
||||
unambiguousPasswordConfiguration = 1 >= length
|
||||
(filter (x: x != null) (map (flip getAttr user) passwordOptions));
|
||||
in optional (!unambiguousPasswordConfiguration) ''
|
||||
The user '${user.name}' has multiple of the options
|
||||
`hashedPassword`, `password`, `hashedPasswordFile`, `initialPassword`
|
||||
@ -961,6 +965,13 @@ in {
|
||||
The options silently discard others by the order of precedence
|
||||
given above which can lead to surprising results. To resolve this warning,
|
||||
set at most one of the options above to a non-`null` value.
|
||||
|
||||
The values of these options are:
|
||||
${concatMapStringsSep
|
||||
"\n"
|
||||
(value:
|
||||
"* users.users.\"${user.name}\".${value}: ${generators.toPretty {} user.${value}}")
|
||||
passwordOptions}
|
||||
'')
|
||||
++ filter (x: x != null) (
|
||||
flip mapAttrsToList cfg.users (_: user:
|
||||
|
Loading…
Reference in New Issue
Block a user