Merge pull request #172058 from midchildan/improvement/1pw-gid

nixos/_1password{,-gui}: use a static gid
This commit is contained in:
Sandro 2022-07-17 01:21:42 +02:00 committed by GitHub
commit 769329f5f8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 35 additions and 20 deletions

View file

@ -667,6 +667,27 @@ in
# uid. Users and groups with the same name should have equal
# uids and gids. Also, don't use gids above 399!
# For exceptional cases where you really need a gid above 399, leave a
# comment stating why.
#
# Also, avoid the following GID ranges:
#
# 1000 - 29999: user accounts (see ../config/update-users-groups.pl)
# 30000 - 31000: nixbld users (the upper limit is arbitrarily chosen)
# 61184 - 65519: systemd DynamicUser (see systemd.exec(5))
# 65535: the error return sentinel value when uid_t was 16 bits
#
# 100000 - 6653600: subgid allocated for user namespaces
# (see ../config/update-users-groups.pl)
# 4294967294: unauthenticated user in some NFS implementations
# 4294967295: error return sentinel value
#
# References:
# https://www.debian.org/doc/debian-policy/ch-opersys.html#uid-and-gid-classes
onepassword = 31001; # 1Password requires that its GID be larger than 1000
onepassword-cli = 31002; # 1Password requires that its GID be larger than 1000
users = 100;
nixbld = 30000;
nogroup = 65534;

View file

@ -8,19 +8,16 @@ let
in
{
imports = [
(mkRemovedOptionModule [ "programs" "_1password-gui" "gid" ] ''
A preallocated GID will be used instead.
'')
];
options = {
programs._1password-gui = {
enable = mkEnableOption "the 1Password GUI application";
gid = mkOption {
type = types.addCheck types.int (x: x >= 1000);
example = literalExpression "5000";
description = ''
The gid to assign to the onepassword group, which is needed for browser integration.
It must be 1000 or greater.
'';
};
polkitPolicyOwners = mkOption {
type = types.listOf types.str;
default = [ ];
@ -44,7 +41,7 @@ in
in
mkIf cfg.enable {
environment.systemPackages = [ package ];
users.groups.onepassword.gid = cfg.gid;
users.groups.onepassword.gid = config.ids.gids.onepassword;
security.wrappers = {
"1Password-BrowserSupport" = {

View file

@ -8,19 +8,16 @@ let
in
{
imports = [
(mkRemovedOptionModule [ "programs" "_1password" "gid" ] ''
A preallocated GID will be used instead.
'')
];
options = {
programs._1password = {
enable = mkEnableOption "the 1Password CLI tool";
gid = mkOption {
type = types.addCheck types.int (x: x >= 1000);
example = literalExpression "5001";
description = ''
The gid to assign to the onepassword-cli group, which is needed for integration with the 1Password GUI.
It must be 1000 or greater.
'';
};
package = mkPackageOption pkgs "1Password CLI" {
default = [ "_1password" ];
};
@ -29,7 +26,7 @@ in
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
users.groups.onepassword-cli.gid = cfg.gid;
users.groups.onepassword-cli.gid = config.ids.gids.onepassword-cli;
security.wrappers = {
"op" = {