+2

nixos/doc/manual/release-notes/rl-2505.section.md

··· 555 555 556 556 - `gerbera` now has wavpack support. 557 557 558 558 + - A toggle has been added under `users.users.<name>.enable` to allow toggling individual users conditionally. If set to false, the user account will not be created. 559 559 + 558 560 - `ddclient` was updated from 3.11.2 to 4.0.0 [Release notes](https://github.com/ddclient/ddclient/releases/tag/v4.0.0) 559 561 560 562 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

+11 -1

nixos/modules/config/users-groups.nix

··· 124 124 125 125 options = { 126 126 127 127 + enable = mkOption { 128 128 + type = types.bool; 129 129 + default = true; 130 130 + example = false; 131 131 + description = '' 132 132 + If set to false, the user account will not be created. This is useful for when you wish to conditionally 133 133 + disable user accounts. 134 134 + ''; 135 135 + }; 136 136 + 127 137 name = mkOption { 128 138 type = types.passwdEntry types.str; 129 139 apply = x: assert (stringLength x < 32 || abort "Username '${x}' is longer than 31 characters which is not allowed!"); x; ··· 557 567 autoSubUidGidRange subUidRanges subGidRanges 558 568 initialPassword initialHashedPassword expires; 559 569 shell = utils.toShellPath u.shell; 560 560 - }) cfg.users; 570 570 + }) (filterAttrs (_: u: u.enable) cfg.users); 561 571 groups = attrValues cfg.groups; 562 572 }); 563 573

+18 -11

nixos/modules/services/system/userborn.nix

··· 31 31 ; 32 32 isNormal = opts.isNormalUser; 33 33 shell = utils.toShellPath opts.shell; 34 34 - }) config.users.users; 34 34 + }) (lib.filterAttrs (_: u: u.enable) config.users.users); 35 35 }; 36 36 37 37 userbornConfigJson = pkgs.writeText "userborn.json" (builtins.toJSON userbornConfig); ··· 95 95 96 96 # Create home directories, do not create /var/empty even if that's a user's 97 97 # home. 98 98 - tmpfiles.settings.home-directories = lib.mapAttrs' ( 99 99 - username: opts: 100 100 - lib.nameValuePair (toString opts.home) { 101 101 - d = { 102 102 - mode = opts.homeMode; 103 103 - user = opts.name; 104 104 - inherit (opts) group; 105 105 - }; 106 106 - } 107 107 - ) (lib.filterAttrs (_username: opts: opts.createHome && opts.home != "/var/empty") userCfg.users); 98 98 + tmpfiles.settings.home-directories = 99 99 + lib.mapAttrs' 100 100 + ( 101 101 + username: opts: 102 102 + lib.nameValuePair (toString opts.home) { 103 103 + d = { 104 104 + mode = opts.homeMode; 105 105 + user = opts.name; 106 106 + inherit (opts) group; 107 107 + }; 108 108 + } 109 109 + ) 110 110 + ( 111 111 + lib.filterAttrs ( 112 112 + _username: opts: opts.enable && opts.createHome && opts.home != "/var/empty" 113 113 + ) userCfg.users 114 114 + ); 108 115 109 116 services.userborn = { 110 117 wantedBy = [ "sysinit.target" ];

+1

nixos/tests/all-tests.nix

··· 1201 1201 userborn-mutable-etc = runTest ./userborn-mutable-etc.nix; 1202 1202 userborn-immutable-etc = runTest ./userborn-immutable-etc.nix; 1203 1203 user-activation-scripts = handleTest ./user-activation-scripts.nix {}; 1204 1204 + user-enable-option = runTest ./user-enable-option.nix; 1204 1205 user-expiry = runTest ./user-expiry.nix; 1205 1206 user-home-mode = handleTest ./user-home-mode.nix {}; 1206 1207 ustreamer = handleTest ./ustreamer.nix {};

+82

nixos/tests/user-enable-option.nix

··· 1 1 + let 2 2 + normal-enabled = "username-normal-enabled"; 3 3 + normal-disabled = "username-normal-disabled"; 4 4 + system-enabled = "username-system-enabled"; 5 5 + system-disabled = "username-system-disabled"; 6 6 + passwd = "enableOptionPasswd"; 7 7 + in 8 8 + { 9 9 + name = "user-enable-option"; 10 10 + 11 11 + nodes.machine = { 12 12 + users = { 13 13 + groups.test-group = { }; 14 14 + users = { 15 15 + # User is enabled (default behaviour). 16 16 + ${normal-enabled} = { 17 17 + enable = true; 18 18 + isNormalUser = true; 19 19 + initialPassword = passwd; 20 20 + }; 21 21 + 22 22 + # User is disabled. 23 23 + ${normal-disabled} = { 24 24 + enable = false; 25 25 + isNormalUser = true; 26 26 + initialPassword = passwd; 27 27 + }; 28 28 + 29 29 + # User is a system user, and is enabled. 30 30 + ${system-enabled} = { 31 31 + enable = true; 32 32 + isSystemUser = true; 33 33 + initialPassword = passwd; 34 34 + group = "test-group"; 35 35 + }; 36 36 + 37 37 + # User is a system user, and is disabled. 38 38 + ${system-disabled} = { 39 39 + enable = false; 40 40 + isSystemUser = true; 41 41 + initialPassword = passwd; 42 42 + group = "test-group"; 43 43 + }; 44 44 + }; 45 45 + }; 46 46 + }; 47 47 + 48 48 + testScript = '' 49 49 + def switch_to_tty(tty_number): 50 50 + machine.fail(f"pgrep -f 'agetty.*tty{tty_number}'") 51 51 + machine.send_key(f"alt-f{tty_number}") 52 52 + machine.wait_until_succeeds(f"[ $(fgconsole) = {tty_number} ]") 53 53 + machine.wait_for_unit(f"getty@tty{tty_number}.service") 54 54 + machine.wait_until_succeeds(f"pgrep -f 'agetty.*tty{tty_number}'") 55 55 + 56 56 + machine.wait_for_unit("multi-user.target") 57 57 + machine.wait_for_unit("getty@tty1.service") 58 58 + 59 59 + with subtest("${normal-enabled} exists"): 60 60 + check_fn = f"id ${normal-enabled}" 61 61 + machine.succeed(check_fn) 62 62 + machine.wait_until_tty_matches("1", "login: ") 63 63 + machine.send_chars("${normal-enabled}\n") 64 64 + machine.wait_until_tty_matches("1", "Password: ") 65 65 + machine.send_chars("${passwd}\n") 66 66 + 67 67 + with subtest("${normal-disabled} does not exist"): 68 68 + switch_to_tty(2) 69 69 + check_fn = f"id ${normal-disabled}" 70 70 + machine.fail(check_fn) 71 71 + 72 72 + with subtest("${system-enabled} exists"): 73 73 + switch_to_tty(3) 74 74 + check_fn = f"id ${system-enabled}" 75 75 + machine.succeed(check_fn) 76 76 + 77 77 + with subtest("${system-disabled} does not exist"): 78 78 + switch_to_tty(4) 79 79 + check_fn = f"id ${system-disabled}" 80 80 + machine.fail(check_fn) 81 81 + ''; 82 82 + }

+9

nixos/tests/userborn.nix

··· 66 66 isNormalUser = true; 67 67 hashedPassword = newNormaloHashedPassword; 68 68 }; 69 69 + normalo-disabled = { 70 70 + enable = false; 71 71 + isNormalUser = true; 72 72 + }; 69 73 }; 70 74 groups = { 71 75 new-group = { }; ··· 95 99 print(machine.succeed("getent passwd sysuser")) 96 100 assert 1000 > int(machine.succeed("id --user sysuser")), "sysuser user doesn't have a system UID" 97 101 assert "${sysuserInitialHashedPassword}" in machine.succeed("getent shadow sysuser"), "system user password is not correct" 102 102 + 103 103 + with subtest("normalo-disabled is NOT created"): 104 104 + machine.fail("id normalo-disabled") 105 105 + # Check if user's home has been created 106 106 + machine.fail("[ -d '/home/normalo-disabled' ]") 98 107 99 108 with subtest("sysusers group is created"): 100 109 print(machine.succeed("getent group sysusers"))