From 7cb22a0acb54845acecfeb002c396b0c0ffa3292 Mon Sep 17 00:00:00 2001
From: Maximilian Bosch <maximilian@mbosch.me>
Date: Thu, 17 Oct 2024 17:35:47 +0200
Subject: [PATCH] nixos/users-groups: dump values of password options if
 multiple options have definitions

This was suggested since it might make it a little easier to identify
the places where the definitions come from.

Retrieving the effective definitions from the module-system seems
non-trivial, especially for submodules though, hence only the values are
shown for now.

I'd argue that especially the `password` option are mostly a convenience
thing for test setups. If the password is an actual secret, it should be
treated as such, i.e. `hashedPasswordFile` should be used.

For the `shadow` VM test, the new section of the warning looks like
this:

    The values of these options are:
    * users.users."leo".hashedPassword: "$6$ymzs8WINZ5wGwQcV$VC2S0cQiX8NVukOLymysTPn4v1zJoJp3NGyhnqyv/dAf4NWZsBWYveQcj6gEJr4ZUjRBRjM0Pj1L8TCQ8hUUp0"
    * users.users."leo".hashedPasswordFile: null
    * users.users."leo".password: null
    * users.users."leo".initialHashedPassword: "!"
    * users.users."leo".initialPassword: null
---
 nixos/modules/config/users-groups.nix | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix
index 69646e550f1f..845f9fdaf68e 100644
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@@ -6,6 +6,7 @@ let
     attrNames
     attrValues
     concatMap
+    concatMapStringsSep
     concatStrings
     elem
     filter
@@ -13,6 +14,7 @@ let
     flatten
     flip
     foldr
+    generators
     getAttr
     hasAttr
     id
@@ -944,16 +946,18 @@ in {
 
     warnings =
       flip concatMap (attrValues cfg.users) (user: let
-        unambiguousPasswordConfiguration = 1 >= length (filter (x: x != null) ([
-          user.hashedPassword
-          user.hashedPasswordFile
-          user.password
+        passwordOptions = [
+          "hashedPassword"
+          "hashedPasswordFile"
+          "password"
         ] ++ optionals cfg.mutableUsers [
           # For immutable users, initialHashedPassword is set to hashedPassword,
           # so using these options would always trigger the assertion.
-          user.initialHashedPassword
-          user.initialPassword
-        ]));
+          "initialHashedPassword"
+          "initialPassword"
+        ];
+        unambiguousPasswordConfiguration = 1 >= length
+          (filter (x: x != null) (map (flip getAttr user) passwordOptions));
       in optional (!unambiguousPasswordConfiguration) ''
         The user '${user.name}' has multiple of the options
         `hashedPassword`, `password`, `hashedPasswordFile`, `initialPassword`
@@ -961,6 +965,13 @@ in {
         The options silently discard others by the order of precedence
         given above which can lead to surprising results. To resolve this warning,
         set at most one of the options above to a non-`null` value.
+
+        The values of these options are:
+        ${concatMapStringsSep
+          "\n"
+          (value:
+            "* users.users.\"${user.name}\".${value}: ${generators.toPretty {} user.${value}}")
+          passwordOptions}
       '')
       ++ filter (x: x != null) (
         flip mapAttrsToList cfg.users (_: user: