nixos/users-groups: dump values of password options if multiple options have definitions

This was suggested since it might make it a little easier to identify the places where the definitions come from. Retrieving the effective definitions from the module-system seems non-trivial, especially for submodules though, hence only the values are shown for now. I'd argue that especially the `password` option are mostly a convenience thing for test setups. If the password is an actual secret, it should be treated as such, i.e. `hashedPasswordFile` should be used. For the `shadow` VM test, the new section of the warning looks like this: The values of these options are: * users.users."leo".hashedPassword: "$6$ymzs8WINZ5wGwQcV$VC2S0cQiX8NVukOLymysTPn4v1zJoJp3NGyhnqyv/dAf4NWZsBWYveQcj6gEJr4ZUjRBRjM0Pj1L8TCQ8hUUp0" * users.users."leo".hashedPasswordFile: null * users.users."leo".password: null * users.users."leo".initialHashedPassword: "!" * users.users."leo".initialPassword: null
2024-11-25 16:33:15 +00:00 · 2024-10-17 17:35:47 +02:00 · 2024-10-17 17:35:47 +02:00 · 7cb22a0acb
commit 7cb22a0acb
parent 1b42d28618
1 changed files with 18 additions and 7 deletions
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@ -6,6 +6,7 @@ let
    attrNames
    attrValues
    concatMap
+    concatMapStringsSep
    concatStrings
    elem
    filter
@ -13,6 +14,7 @@ let
    flatten
    flip
    foldr
+    generators
    getAttr
    hasAttr
    id
@ -944,16 +946,18 @@ in {

    warnings =
      flip concatMap (attrValues cfg.users) (user: let
-        unambiguousPasswordConfiguration = 1 >= length (filter (x: x != null) ([
-          user.hashedPassword
-          user.hashedPasswordFile
-          user.password
+        passwordOptions = [
+          "hashedPassword"
+          "hashedPasswordFile"
+          "password"
        ] ++ optionals cfg.mutableUsers [
          # For immutable users, initialHashedPassword is set to hashedPassword,
          # so using these options would always trigger the assertion.
-          user.initialHashedPassword
-          user.initialPassword
-        ]));
+          "initialHashedPassword"
+          "initialPassword"
+        ];
+        unambiguousPasswordConfiguration = 1 >= length
+          (filter (x: x != null) (map (flip getAttr user) passwordOptions));
      in optional (!unambiguousPasswordConfiguration) ''
        The user '${user.name}' has multiple of the options
        `hashedPassword`, `password`, `hashedPasswordFile`, `initialPassword`
@ -961,6 +965,13 @@ in {
        The options silently discard others by the order of precedence
        given above which can lead to surprising results. To resolve this warning,
        set at most one of the options above to a non-`null` value.
+
+        The values of these options are:
+        ${concatMapStringsSep
+          "\n"
+          (value:
+            "* users.users.\"${user.name}\".${value}: ${generators.toPretty {} user.${value}}")
+          passwordOptions}
      '')
      ++ filter (x: x != null) (
        flip mapAttrsToList cfg.users (_: user: