nixos/users-groups: warn on ambiguous password settings

After 4b128008c5 it took me a while in a test setup to find out why `root` didn't have the password anymore I declared in my config. Because of that I got reminded how the order of preference works for the password options: hashedPassword > password > hashedPasswordFile If the user is new, initialPassword & initialHashedPassword are also relevant. Also, the override is silent in contrast to any other conflicting definition in NixOS. To make this less surprising I decided to warn in such a case - assertions would probably break too much that technically works as intended. Also removed the `initialHashedPassword` for `root`. This would cause a warning whenever you set something in your own config and a `!` is added automatically by `users-groups.pl`. `systemd-sysusers` also seems to implement these precedence rules, so having the warning for that case also seems useful.
2025-02-22 20:14:37 +00:00 · 2024-02-09 15:55:26 +01:00 · 2024-02-09 15:55:26 +01:00 · f6954309e8
commit f6954309e8
parent a5d28c9bff
1 changed files with 20 additions and 2 deletions
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@ -649,7 +649,6 @@ in {
        home = "/root";
        shell = mkDefault cfg.defaultUserShell;
        group = "root";
-        initialHashedPassword = mkDefault "!";
      };
      nobody = {
        uid = ids.uids.nobody;
@ -897,7 +896,26 @@ in {
    ));

    warnings =
-      builtins.filter (x: x != null) (
+      flip concatMap (attrValues cfg.users) (user: let
+        unambiguousPasswordConfiguration = 1 >= length (filter (x: x != null) ([
+          user.hashedPassword
+          user.hashedPasswordFile
+          user.password
+        ] ++ optionals cfg.mutableUsers [
+          # For immutable users, initialHashedPassword is set to hashedPassword,
+          # so using these options would always trigger the assertion.
+          user.initialHashedPassword
+          user.initialPassword
+        ]));
+      in optional (!unambiguousPasswordConfiguration) ''
+        The user '${user.name}' has multiple of the options
+        `hashedPassword`, `password`, `hashedPasswordFile`, `initialPassword`
+        & `initialHashedPassword` set to a non-null value.
+        The options silently discard others by the order of precedence
+        given above which can lead to surprising results. To resolve this warning,
+        set at most one of the options above to a non-`null` value.
+      '')
+      ++ builtins.filter (x: x != null) (
        flip mapAttrsToList cfg.users (_: user:
        # This regex matches a subset of the Modular Crypto Format (MCF)[1]
        # informal standard. Since this depends largely on the OS or the