Describe the bug
If systemd.sysusers.enable is used with users having passwords set by hashedPassword, the defined password is ignored and the users are provisioned as password-less (i.e "disabled").
Steps To Reproduce
Steps to reproduce the behavior:
- Enable
systemd.sysusers.enable
- Enable disable
users.mutableUsers or enable system.etc.overlay.enable. (I only tested via mutableUsers=false).
- Test new config (careful!)
- No user will be able to login via password - including root.
Expected behavior
Users should retain existing password configured via hashedPassword.
The existing users-groups module (./nixos/modules/config/users-groups.nix) actually sets the default opposite of what the new systemd-sysusers module expects. users-groups sets hashedPassword and password based on the initialHashedPassword and initialPassword values while systemd-sysusers only looks in the initial* values. systemd-sysfiles should just look at hasedPassword and password.
The assertions that prevent building a config without any login-able user (locally or via SSH) should be reviewed. I believe they were not triggered because while I did have an SSH public key configured via Nix - the config does not have an SSH server enabled.
Describe the bug
If
systemd.sysusers.enableis used with users having passwords set byhashedPassword, the defined password is ignored and the users are provisioned as password-less (i.e "disabled").Steps To Reproduce
Steps to reproduce the behavior:
systemd.sysusers.enableusers.mutableUsersor enablesystem.etc.overlay.enable. (I only tested viamutableUsers=false).Expected behavior
Users should retain existing password configured via
hashedPassword.The existing
users-groupsmodule (./nixos/modules/config/users-groups.nix) actually sets the default opposite of what the new systemd-sysusers module expects.users-groupssetshashedPasswordandpasswordbased on theinitialHashedPasswordandinitialPasswordvalues whilesystemd-sysusersonly looks in theinitial*values.systemd-sysfilesshould just look athasedPasswordandpassword.The assertions that prevent building a config without any login-able user (locally or via SSH) should be reviewed. I believe they were not triggered because while I did have an SSH public key configured via Nix - the config does not have an SSH server enabled.