movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-20 08:29:20 +03:00
Code Activity

nixos/_1password{,-gui}: use a static gid

Browse source
This commit is contained in:
midchildan 2022-05-08 19:48:29 +09:00
parent 3c8e6248cb
commit 2a58907251
No known key found for this signature in database
GPG key ID: A64DE57FA5963935
3 changed files with 35 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

21
nixos/modules/misc/ids.nix
View file

@ -667,6 +667,27 @@ in
# uid. Users and groups with the same name should have equal # uid. Users and groups with the same name should have equal
# uids and gids. Also, don't use gids above 399! # uids and gids. Also, don't use gids above 399!
# For exceptional cases where you really need a gid above 399, leave a
# comment stating why.
#
# Also, avoid the following GID ranges:
#
# 1000 - 29999: user accounts (see ../config/update-users-groups.pl)
# 30000 - 31000: nixbld users (the upper limit is arbitrarily chosen)
# 61184 - 65519: systemd DynamicUser (see systemd.exec(5))
# 65535: the error return sentinel value when uid_t was 16 bits
#
# 100000 - 6653600: subgid allocated for user namespaces
# (see ../config/update-users-groups.pl)
# 4294967294: unauthenticated user in some NFS implementations
# 4294967295: error return sentinel value
#
# References:
# https://www.debian.org/doc/debian-policy/ch-opersys.html#uid-and-gid-classes
onepassword = 31001; # 1Password requires that its GID be larger than 1000
onepassword-cli = 31002; # 1Password requires that its GID be larger than 1000
users = 100; users = 100;
nixbld = 30000; nixbld = 30000;
nogroup = 65534; nogroup = 65534;

17
nixos/modules/programs/_1password-gui.nix
View file

@ -8,19 +8,16 @@ let
in in
{ {
imports = [
(mkRemovedOptionModule [ "programs" "_1password-gui" "gid" ] ''
A preallocated GID will be used instead.
'')
];
options = { options = {
programs._1password-gui = { programs._1password-gui = {
enable = mkEnableOption "the 1Password GUI application"; enable = mkEnableOption "the 1Password GUI application";
gid = mkOption {
type = types.addCheck types.int (x: x >= 1000);
example = literalExpression "5000";
description = ''
The gid to assign to the onepassword group, which is needed for browser integration.
It must be 1000 or greater.
'';
};
polkitPolicyOwners = mkOption { polkitPolicyOwners = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [ ]; default = [ ];
@ -44,7 +41,7 @@ in
in in
mkIf cfg.enable { mkIf cfg.enable {
environment.systemPackages = [ package ]; environment.systemPackages = [ package ];
users.groups.onepassword.gid = cfg.gid; users.groups.onepassword.gid = config.ids.gids.onepassword;
security.wrappers = { security.wrappers = {
"1Password-BrowserSupport" = { "1Password-BrowserSupport" = {

17
nixos/modules/programs/_1password.nix
View file

@ -8,19 +8,16 @@ let
in in
{ {
imports = [
(mkRemovedOptionModule [ "programs" "_1password" "gid" ] ''
A preallocated GID will be used instead.
'')
];
options = { options = {
programs._1password = { programs._1password = {
enable = mkEnableOption "the 1Password CLI tool"; enable = mkEnableOption "the 1Password CLI tool";
gid = mkOption {
type = types.addCheck types.int (x: x >= 1000);
example = literalExpression "5001";
description = ''
The gid to assign to the onepassword-cli group, which is needed for integration with the 1Password GUI.
It must be 1000 or greater.
'';
};
package = mkPackageOption pkgs "1Password CLI" { package = mkPackageOption pkgs "1Password CLI" {
default = [ "_1password" ]; default = [ "_1password" ];
}; };
@ -29,7 +26,7 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ]; environment.systemPackages = [ cfg.package ];
users.groups.onepassword-cli.gid = cfg.gid; users.groups.onepassword-cli.gid = config.ids.gids.onepassword-cli;
security.wrappers = { security.wrappers = {
"op" = { "op" = {