nixos/systemd-sysusers: assert against password and hashedPassword

Regardless of mutable or immutable users, systemd-sysupdate never updates existing user records and thus will for example never change passwords for you. It only support initial passwords and now actively asserts agains other paswords.
2025-06-25 18:46:32 +03:00 · 2024-07-21 16:10:50 +02:00 · 2024-07-21 16:10:50 +02:00 · 2ca04530c9
commit 2ca04530c9
parent 2710a49adb
1 changed files with 10 additions and 3 deletions
--- a/nixos/modules/system/boot/systemd/sysusers.nix
+++ b/nixos/modules/system/boot/systemd/sysusers.nix
@ -72,12 +72,19 @@ in
        assertion = config.users.mutableUsers -> config.system.etc.overlay.enable;
        message = "config.users.mutableUsers requires config.system.etc.overlay.enable.";
      }
-    ] ++ lib.mapAttrsToList
-      (username: opts: {
+    ] ++ (lib.mapAttrsToList
+      (_username: opts: {
        assertion = !opts.isNormalUser;
        message = "systemd-sysusers doesn't create normal users. You can currently only use it to create system users.";
      })
-      userCfg.users;
+      userCfg.users)
+    ++ lib.mapAttrsToList
+      (username: opts: {
+        assertion = (opts.password == opts.initialPassword || opts.password == null) &&
+          (opts.hashedPassword == opts.initialHashedPassword || opts.hashedPassword == null);
+        message = "${username} uses password or hashedPassword. systemd-sysupdate only supports initial passwords. It'll never update your passwords.";
+      })
+      systemUsers;

    systemd = {