nixos/users-groups: rename passwordFile in hashedPasswordFile
This avoids the possible confusion with `passwordFile` being the file version of `password`, while it should contain the password hash. Fixes issue #165858.
This commit is contained in:
parent
ef14cdd5b9
commit
5666a378cb
2 changed files with 28 additions and 14 deletions
nixos
|
@ -87,6 +87,8 @@
|
|||
|
||||
- `getent` has been moved from `glibc`'s `bin` output to its own dedicated output, reducing closure size for many dependents. Dependents using the `getent` alias should not be affected; others should move from using `glibc.bin` or `getBin glibc` to `getent` (which also improves compatibility with non-glibc platforms).
|
||||
|
||||
- The `users.users.<name>.passwordFile` has been renamed to `users.users.<name>.hashedPasswordFile` to avoid possible confusions. The option is in fact the file-based version of `hashedPassword`, not `password`, and expects a file containing the {manpage}`crypt(3)` hash of the user password.
|
||||
|
||||
- The `services.ananicy.extraRules` option now has the type of `listOf attrs` instead of `string`.
|
||||
|
||||
- The `matrix-synapse` package & module have undergone some significant internal changes, for most setups no intervention is needed, though:
|
||||
|
|
|
@ -18,11 +18,11 @@ let
|
|||
|
||||
passwordDescription = ''
|
||||
The options {option}`hashedPassword`,
|
||||
{option}`password` and {option}`passwordFile`
|
||||
{option}`password` and {option}`hashedPasswordFile`
|
||||
controls what password is set for the user.
|
||||
{option}`hashedPassword` overrides both
|
||||
{option}`password` and {option}`passwordFile`.
|
||||
{option}`password` overrides {option}`passwordFile`.
|
||||
{option}`password` and {option}`hashedPasswordFile`.
|
||||
{option}`password` overrides {option}`hashedPasswordFile`.
|
||||
If none of these three options are set, no password is assigned to
|
||||
the user, and the user will not be able to do password logins.
|
||||
If the option {option}`users.mutableUsers` is true, the
|
||||
|
@ -250,18 +250,26 @@ let
|
|||
'';
|
||||
};
|
||||
|
||||
passwordFile = mkOption {
|
||||
hashedPasswordFile = mkOption {
|
||||
type = with types; nullOr str;
|
||||
default = null;
|
||||
default = cfg.users.${name}.passwordFile;
|
||||
defaultText = literalExpression "null";
|
||||
description = lib.mdDoc ''
|
||||
The full path to a file that contains the user's password. The password
|
||||
file is read on each system activation. The file should contain
|
||||
exactly one line, which should be the password in an encrypted form
|
||||
that is suitable for the `chpasswd -e` command.
|
||||
The full path to a file that contains the hash of the user's
|
||||
password. The password file is read on each system activation. The
|
||||
file should contain exactly one line, which should be the password in
|
||||
an encrypted form that is suitable for the `chpasswd -e` command.
|
||||
${passwordDescription}
|
||||
'';
|
||||
};
|
||||
|
||||
passwordFile = mkOption {
|
||||
type = with types; nullOr (passwdEntry str);
|
||||
default = null;
|
||||
visible = false;
|
||||
description = lib.mdDoc "Deprecated alias of hashedPasswordFile";
|
||||
};
|
||||
|
||||
initialHashedPassword = mkOption {
|
||||
type = with types; nullOr (passwdEntry str);
|
||||
default = null;
|
||||
|
@ -447,7 +455,7 @@ let
|
|||
users = mapAttrsToList (_: u:
|
||||
{ inherit (u)
|
||||
name uid group description home homeMode createHome isSystemUser
|
||||
password passwordFile hashedPassword
|
||||
password hashedPasswordFile hashedPassword
|
||||
autoSubUidGidRange subUidRanges subGidRanges
|
||||
initialPassword initialHashedPassword expires;
|
||||
shell = utils.toShellPath u.shell;
|
||||
|
@ -756,7 +764,7 @@ in {
|
|||
&&
|
||||
(allowsLogin cfg.hashedPassword
|
||||
|| cfg.password != null
|
||||
|| cfg.passwordFile != null
|
||||
|| cfg.hashedPasswordFile != null
|
||||
|| cfg.openssh.authorizedKeys.keys != []
|
||||
|| cfg.openssh.authorizedKeys.keyFiles != [])
|
||||
) cfg.users ++ [
|
||||
|
@ -845,9 +853,13 @@ in {
|
|||
The password hash of user "${user.name}" may be invalid. You must set a
|
||||
valid hash or the user will be locked out of their account. Please
|
||||
check the value of option `users.users."${user.name}".hashedPassword`.''
|
||||
else null
|
||||
));
|
||||
|
||||
else null)
|
||||
++ flip mapAttrsToList cfg.users (name: user:
|
||||
if user.passwordFile != null then
|
||||
''The option `users.users."${name}".passwordFile' has been renamed '' +
|
||||
''to `users.users."${name}".hashedPasswordFile'.''
|
||||
else null)
|
||||
);
|
||||
};
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue