Before: `users.users.user1.group = "group-not-defined-anywhere-else"`
would result in user1 having the primary group `nogroup`, assigned at
activation time and only with a (easy to miss) warning from the
activation script. This behaviour is a security issue becase no files
should be owned by `nogroup` and it allows for unrelated users (and
services) to accidentally have access to files they shouldn't have.
After: The configuration above results in this eval error:
- The following users have a primary group that is undefined: user1
Hint: Add this to your NixOS config:
users.groups.group-not-defined-anywhere-else = {};
and remove nano from environment.defaultPackages. In addition also cleanup the file in general.
This is a follow up to #220481
Co-authored-by: pennae <82953136+pennae@users.noreply.github.com>
The text was originally added [0] following an apparently incomplete
research on how everything plays together. In fact, Nix propagates
`outputs` to the corresponding nested derivations, and there is some
messy behavior in Nixpkgs that only seems to propagate
`meta.outputsToInstall` in `buildEnv`[1].
This change moves the hints on how to use NixOS specifics to NixOS
module documentation (which is hopefully easier to find through
search.nixos.org), describes the default behavior in Nixpkgs (updating
a the link to the source), and removes the confusing mention of
`nix-env`.
the last of them should not be there to begin with. we don't want
beginners to use `nix-env`, as this is known to run them into trouble
eventually.
[0]: https://github.com/NixOS/nixpkgs/pull/76794
[1]: 1774d07242/pkgs/build-support/buildenv/default.nix (L66)
This fixes a bug where the vconsole was not working as intended in systemd stage 1 with systemd v254.
udev rules are now starting with this service instead of whatever happened before.
Clarify that the monochrome font is not included, per #221181.
The new name is also coherent with the name of the font,
according to `fontconfig`: Noto Color Emoji.
- Avoid false-positives on package sets that contain a `terminfo` derivation,
like `haskellPackages` and `sbclPackages`.
- Directly provide a list of names that can be used to update the NixOS module,
rather than a list of derivations which is hard to read in the REPL.
This avoids the possible confusion with `passwordFile` being the file
version of `password`, while it should contain the password hash.
Fixes issue #165858.
Since #246772, cross compiled NixOS is broken because the DateTime perl
package that was used in the update-users-groups.pl script depends on
Testutf8 which does not cross compile (see #198548).
This PR drops the DateTime dependency in favour of TimePiece, which has
less dependencies and whose closure does cross compile.
I initially thought it was related to /var/lib/nixos/{gid-map,uid-map},
but it seems that to migrate GID/UID you have to edit
/etc/{group,passwd} (and update GID/UID in all files). So mention those
files in the warning messages.
We do not really declare module dependencies anywhere else and it would
a nousance to move any file if many other referenced it without being
necessary. Also most higher level modules depend on most of the lower
level ones.
So removing this because it can only potentially cause weird issues.
