From 55e8064b0b19834ac49cf7c20d2dcb42748b09c7 Mon Sep 17 00:00:00 2001 From: Will Fancher Date: Mon, 23 Dec 2024 00:26:59 -0500 Subject: [PATCH 1/3] Revert "nixis/uinput: use a fixed GID for the uinput group" This reverts commit 70119aa60f9e6b4fc129b34de481f1a79d47750b. --- nixos/modules/hardware/uinput.nix | 2 +- nixos/modules/misc/ids.nix | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/nixos/modules/hardware/uinput.nix b/nixos/modules/hardware/uinput.nix index 1845d9cfe565d..0adc00e05f96b 100644 --- a/nixos/modules/hardware/uinput.nix +++ b/nixos/modules/hardware/uinput.nix @@ -11,7 +11,7 @@ in config = lib.mkIf cfg.enable { boot.kernelModules = [ "uinput" ]; - users.groups.uinput.gid = config.ids.gids.uinput; + users.groups.uinput = { }; services.udev.extraRules = '' SUBSYSTEM=="misc", KERNEL=="uinput", MODE="0660", GROUP="uinput", OPTIONS+="static_node=uinput" diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index d1347766420a1..ca7fc9ebf8ad7 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -683,7 +683,6 @@ in rstudio-server = 324; localtimed = 325; automatic-timezoned = 326; - uinput = 327; whisparr = 328; # When adding a gid, make sure it doesn't match an existing From 218901bd4c68d6a164959b10ebc1a8276f4261c9 Mon Sep 17 00:00:00 2001 From: Will Fancher Date: Mon, 23 Dec 2024 00:33:37 -0500 Subject: [PATCH 2/3] nixos/whisparr: Remove static IDs --- nixos/modules/misc/ids.nix | 2 -- nixos/modules/services/misc/whisparr.nix | 4 ++-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index ca7fc9ebf8ad7..a2c0438801ad7 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -355,7 +355,6 @@ in rstudio-server = 324; localtimed = 325; automatic-timezoned = 326; - whisparr = 328; # When adding a uid, make sure it doesn't match an existing gid. # @@ -683,7 +682,6 @@ in rstudio-server = 324; localtimed = 325; automatic-timezoned = 326; - whisparr = 328; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/services/misc/whisparr.nix b/nixos/modules/services/misc/whisparr.nix index 8594a682ec9f3..bf15ee70fde44 100644 --- a/nixos/modules/services/misc/whisparr.nix +++ b/nixos/modules/services/misc/whisparr.nix @@ -64,10 +64,10 @@ in whisparr = { group = cfg.group; home = cfg.dataDir; - uid = config.ids.uids.whisparr; + isSystemUser = true; }; }; - users.groups = lib.mkIf (cfg.group == "whisparr") { whisparr.gid = config.ids.gids.whisparr; }; + users.groups.whisparr = lib.mkIf (cfg.group == "whisparr") { }; }; } From 4971ed01cbc149465443c5107ba3331d8fda39cc Mon Sep 17 00:00:00 2001 From: Will Fancher Date: Mon, 23 Dec 2024 00:47:56 -0500 Subject: [PATCH 3/3] nixos/ids: Link to RFC #52 and explain that static IDs are not allowed. --- ci/OWNERS | 1 + nixos/modules/misc/ids.nix | 15 +++++++++------ 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/ci/OWNERS b/ci/OWNERS index 35edeaf6cf775..4681abaad6f65 100644 --- a/ci/OWNERS +++ b/ci/OWNERS @@ -102,6 +102,7 @@ nixos/modules/installer/tools/nix-fallback-paths.nix @NixOS/nix-team @raitobeza /nixos/default.nix @infinisil /nixos/lib/from-env.nix @infinisil /nixos/lib/eval-config.nix @infinisil +/nixos/modules/misc/ids.nix @R-VdP /nixos/modules/system/activation/bootspec.nix @grahamc @cole-h @raitobezarius /nixos/modules/system/activation/bootspec.cue @grahamc @cole-h @raitobezarius diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index a2c0438801ad7..fcdffc5209675 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -2,12 +2,15 @@ # central list to prevent id collisions. # IMPORTANT! -# We only add static uids and gids for services where it is not feasible -# to change uids/gids on service start, for example a service with a lot of -# files. Please also check if the service is applicable for systemd's -# DynamicUser option and does not need a uid/gid allocation at all. -# Systemd can also change ownership of service directories using the -# RuntimeDirectory/StateDirectory options. +# +# https://github.com/NixOS/rfcs/blob/master/rfcs/0052-dynamic-ids.md +# +# Use of static ids is deprecated within NixOS. Dynamic allocation is +# required, barring special circumstacnes. Please check if the service +# is applicable for systemd's DynamicUser option and does not need a +# uid/gid allocation at all. Systemd can also change ownership of +# service directories using the RuntimeDirectory/StateDirectory +# options. { lib, ... }: