nixos/users-groups: rename passwordFile in hashedPasswordFile

This avoids the possible confusion with `passwordFile` being the file version of `password`, while it should contain the password hash. Fixes issue #165858.
2024-11-22 15:03:28 +00:00 · 2023-09-08 21:13:31 +02:00 · 2023-09-08 21:13:31 +02:00 · 5666a378cb
commit 5666a378cb
parent ef14cdd5b9
2 changed files with 28 additions and 14 deletions
--- a/nixos/doc/manual/release-notes/rl-2311.section.md
+++ b/nixos/doc/manual/release-notes/rl-2311.section.md
@ -87,6 +87,8 @@

 - `getent` has been moved from `glibc`'s `bin` output to its own dedicated output, reducing closure size for many dependents. Dependents using the `getent` alias should not be affected; others should move from using `glibc.bin` or `getBin glibc` to `getent` (which also improves compatibility with non-glibc platforms).

+- The `users.users.<name>.passwordFile` has been renamed to `users.users.<name>.hashedPasswordFile` to avoid possible confusions. The option is in fact the file-based version of `hashedPassword`, not `password`, and expects a file containing the {manpage}`crypt(3)` hash of the user password.
+
 - The `services.ananicy.extraRules` option now has the type of `listOf attrs` instead of `string`.

 - The `matrix-synapse` package & module have undergone some significant internal changes, for most setups no intervention is needed, though:
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@ -18,11 +18,11 @@ let

  passwordDescription = ''
    The options {option}`hashedPassword`,
-    {option}`password` and {option}`passwordFile`
+    {option}`password` and {option}`hashedPasswordFile`
    controls what password is set for the user.
    {option}`hashedPassword` overrides both
-    {option}`password` and {option}`passwordFile`.
-    {option}`password` overrides {option}`passwordFile`.
+    {option}`password` and {option}`hashedPasswordFile`.
+    {option}`password` overrides {option}`hashedPasswordFile`.
    If none of these three options are set, no password is assigned to
    the user, and the user will not be able to do password logins.
    If the option {option}`users.mutableUsers` is true, the
@ -250,18 +250,26 @@ let
        '';
      };

-      passwordFile = mkOption {
+      hashedPasswordFile = mkOption {
        type = with types; nullOr str;
-        default = null;
+        default = cfg.users.${name}.passwordFile;
+        defaultText = literalExpression "null";
        description = lib.mdDoc ''
-          The full path to a file that contains the user's password. The password
-          file is read on each system activation. The file should contain
-          exactly one line, which should be the password in an encrypted form
-          that is suitable for the `chpasswd -e` command.
+          The full path to a file that contains the hash of the user's
+          password. The password file is read on each system activation. The
+          file should contain exactly one line, which should be the password in
+          an encrypted form that is suitable for the `chpasswd -e` command.
          ${passwordDescription}
        '';
      };

+      passwordFile = mkOption {
+        type = with types; nullOr (passwdEntry str);
+        default = null;
+        visible = false;
+        description = lib.mdDoc "Deprecated alias of hashedPasswordFile";
+      };
+
      initialHashedPassword = mkOption {
        type = with types; nullOr (passwdEntry str);
        default = null;
@ -447,7 +455,7 @@ let
    users = mapAttrsToList (_: u:
      { inherit (u)
          name uid group description home homeMode createHome isSystemUser
-          password passwordFile hashedPassword
+          password hashedPasswordFile hashedPassword
          autoSubUidGidRange subUidRanges subGidRanges
          initialPassword initialHashedPassword expires;
        shell = utils.toShellPath u.shell;
@ -756,7 +764,7 @@ in {
            &&
            (allowsLogin cfg.hashedPassword
             || cfg.password != null
-             || cfg.passwordFile != null
+             || cfg.hashedPasswordFile != null
             || cfg.openssh.authorizedKeys.keys != []
             || cfg.openssh.authorizedKeys.keyFiles != [])
          ) cfg.users ++ [
@ -845,9 +853,13 @@ in {
          The password hash of user "${user.name}" may be invalid. You must set a
          valid hash or the user will be locked out of their account. Please
          check the value of option `users.users."${user.name}".hashedPassword`.''
-        else null
-      ));
-
+        else null)
+        ++ flip mapAttrsToList cfg.users (name: user:
+          if user.passwordFile != null then
+            ''The option `users.users."${name}".passwordFile' has been renamed '' +
+            ''to `users.users."${name}".hashedPasswordFile'.''
+          else null)
+      );
  };

 }