nixos/users-groups: Add assert on null shells

I recently set up a new machine with tmpfs-on-root and switched to mutableUsers = false as part of that. I missed that an existing user with `shell = null` was no longer valid as part of this change. (`shell = null` is still useful for `mutableUsers = true`.) Add an assertion to prevent future issues. Also fix a typo in an option name in a comment, this confused me slightly (I originally planned to extend that existing assertion.)
2025-07-14 06:00:33 +03:00 · 2024-01-07 13:32:16 -05:00 · 2024-01-07 13:32:16 -05:00 · f4bd2c83e9
commit f4bd2c83e9
parent 63143ac2c9
1 changed files with 11 additions and 1 deletions
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@ -476,6 +476,7 @@ let
  sdInitrdGidsAreUnique = idsAreUnique (filterAttrs (n: g: g.gid != null) config.boot.initrd.systemd.groups) "gid";
  groupNames = lib.mapAttrsToList (n: g: g.name) cfg.groups;
  usersWithoutExistingGroup = lib.filterAttrs (n: u: u.group != "" && !lib.elem u.group groupNames) cfg.users;
+  usersWithNullShells = attrNames (filterAttrs (name: cfg: cfg.shell == null) cfg.users);

  spec = pkgs.writeText "users-groups.json" (builtins.toJSON {
    inherit (cfg) mutableUsers;
@ -815,12 +816,21 @@ in {
              ${lib.concatStringsSep "\n  " (map mkConfigHint missingGroups)}
          '';
      }
+      {
+        assertion = !cfg.mutableUsers -> length usersWithNullShells == 0;
+        message = ''
+          users.mutableUsers = false has been set,
+          but found users that have their shell set to null.
+          If you wish to disable login, set their shell to pkgs.shadow (the default).
+          Misconfigured users: ${lib.concatStringsSep " " usersWithNullShells}
+        '';
+      }
      { # If mutableUsers is false, to prevent users creating a
        # configuration that locks them out of the system, ensure that
        # there is at least one "privileged" account that has a
        # password or an SSH authorized key. Privileged accounts are
        # root and users in the wheel group.
-        # The check does not apply when users.disableLoginPossibilityAssertion
+        # The check does not apply when users.allowNoPasswordLogin
        # The check does not apply when users.mutableUsers
        assertion = !cfg.mutableUsers -> !cfg.allowNoPasswordLogin ->
          any id (mapAttrsToList (name: cfg: