modules/: Hard-code user and group ids

This avoids relying on the state in /var/lib/nixos

14 files changed, 224 insertions, 16 deletions

diff --git a/modules/by-name/ad/adb/module.nix b/modules/by-name/ad/adb/module.nix
index 71bd3c9b..cf13168a 100644
--- a/modules/by-name/ad/adb/module.nix
+++ b/modules/by-name/ad/adb/module.nix
@@ -26,6 +26,10 @@ in {
 
   config = lib.mkIf cfg.enable {
     programs.adb.enable = true;
-    users.users."${cfg.user}".extraGroups = ["adbusers"];
+
+    users = {
+      users."${cfg.user}".extraGroups = ["adbusers"];
+      groups.adbusers.gid = config.soispha.constants.ids.gids.adbusers;
+    };
   };
 }
diff --git a/modules/by-name/co/constants/module.nix b/modules/by-name/co/constants/module.nix
new file mode 100644
index 00000000..5711e9cf
--- /dev/null
+++ b/modules/by-name/co/constants/module.nix
@@ -0,0 +1,57 @@
+# This file is inspired by the `nixos/modules/misc/ids.nix`
+# file in nixpkgs.
+{lib, ...}: {
+  options.soispha.constants = {
+    ids.uids = lib.mkOption {
+      internal = true;
+      description = ''
+        The user IDs used in this nixos config.
+      '';
+      type = lib.types.attrsOf (lib.types.ints.between 0 1000);
+    };
+    ids.gids = lib.mkOption {
+      internal = true;
+      description = ''
+        The group IDs used in this nixos config.
+      '';
+      type = lib.types.attrsOf (lib.types.ints.between 0 1000);
+    };
+  };
+
+  config.soispha.constants = {
+    ids.uids = {
+      # Keep this sorted with `!sort --numeric-sort --key=2 --field-separator="="`
+
+      dhcpcd = 992;
+      systemd-oom = 993;
+      sshd = 994;
+      rtkit = 995;
+      nscd = 996;
+      nm-iodine = 997;
+      fwupd-refresh = 998;
+      avahi = 999;
+
+      # As per the NixOS file, the uids should not be greater or equal to 400;
+    };
+    ids.gids = {
+      # Please add your groups to the users and inherit them here.
+      # This avoids having an user/group id mismatch.
+
+      dhcpcd = 987;
+      lpadmin = 988;
+      resolvconf = 989;
+      systemd-oom = 990;
+      systemd-coredump = 991;
+      sshd = 992;
+      rtkit = 993;
+      polkituser = 994;
+      nscd = 995;
+      msr = 996;
+      fwupd-refresh = 997;
+      avahi = 998;
+      adbusers = 999;
+
+      # The gid should match the uid. Thus should not be >= 400;
+    };
+  };
+}
diff --git a/modules/by-name/co/coredump/module.nix b/modules/by-name/co/coredump/module.nix
new file mode 100644
index 00000000..79e764eb
--- /dev/null
+++ b/modules/by-name/co/coredump/module.nix
@@ -0,0 +1,17 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.soispha.systemd.coredump;
+in {
+  options.soispha.systemd.coredump = {
+    enable = (lib.mkEnableOption "oomd") // {default = config.systemd.coredump.enable;};
+  };
+
+  config = lib.mkIf cfg.enable {
+    users = {
+      groups.systemd-coredump.gid = config.soispha.constants.ids.gids.systemd-coredump;
+    };
+  };
+}
diff --git a/modules/by-name/dh/dhcpcd/module.nix b/modules/by-name/dh/dhcpcd/module.nix
new file mode 100644
index 00000000..5fee0100
--- /dev/null
+++ b/modules/by-name/dh/dhcpcd/module.nix
@@ -0,0 +1,21 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.soispha.dhcpcd;
+in {
+  options.soispha.dhcpcd = {
+    enable = (lib.mkEnableOption "dhcpcd") // {default = config.networking.dhcpcd.enable;};
+  };
+
+  config = lib.mkIf cfg.enable {
+    users = {
+      users.dhcpcd = {
+        uid = config.soispha.constants.ids.uids.dhcpcd;
+        group = "dhcpcd";
+      };
+      groups.dhcpcd.gid = config.soispha.constants.ids.gids.dhcpcd;
+    };
+  };
+}
diff --git a/modules/by-name/fw/fwupd/module.nix b/modules/by-name/fw/fwupd/module.nix
index 0c4a7bf3..7252c170 100644
--- a/modules/by-name/fw/fwupd/module.nix
+++ b/modules/by-name/fw/fwupd/module.nix
@@ -17,7 +17,13 @@ in {
   options.soispha.services.fwupd = {
     enable = lib.mkEnableOption "fwupd";
   };
+
   config = lib.mkIf cfg.enable {
     services.fwupd.enable = true;
+
+    users = {
+      users.fwupd-refresh.uid = config.soispha.constants.ids.uids.fwupd-refresh;
+      groups.fwupd-refresh.gid = config.soispha.constants.ids.gids.fwupd-refresh;
+    };
   };
 }
diff --git a/modules/by-name/ms/msr/module.nix b/modules/by-name/ms/msr/module.nix
new file mode 100644
index 00000000..521b3a40
--- /dev/null
+++ b/modules/by-name/ms/msr/module.nix
@@ -0,0 +1,17 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.soispha.msr;
+in {
+  options.soispha.msr = {
+    enable = (lib.mkEnableOption "msr") // {default = config.hardware.cpu.x86.msr.enable;};
+  };
+
+  config = lib.mkIf cfg.enable {
+    users = {
+      groups.msr.gid = config.soispha.constants.ids.gids.msr;
+    };
+  };
+}
diff --git a/modules/by-name/ne/networking/module.nix b/modules/by-name/ne/networking/module.nix
index 6f8633e8..ea080ea4 100644
--- a/modules/by-name/ne/networking/module.nix
+++ b/modules/by-name/ne/networking/module.nix
@@ -100,9 +100,12 @@ in {
           "/etc/NetworkManager"
         ];
 
-        users.users."${cfg.userName}".extraGroups = [
-          "networkmanager" # allows to configure NetworkManager as this user
-        ];
+        users.users = {
+          "${cfg.userName}".extraGroups = [
+            "networkmanager" # allows to configure NetworkManager as this user
+          ];
+          nm-iodine.uid = config.soispha.constants.ids.uids.nm-iodine;
+        };
       })
     ]);
 }
diff --git a/modules/by-name/ns/nscd/module.nix b/modules/by-name/ns/nscd/module.nix
new file mode 100644
index 00000000..94ca4874
--- /dev/null
+++ b/modules/by-name/ns/nscd/module.nix
@@ -0,0 +1,18 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.soispha.nscd;
+in {
+  options.soispha.nscd = {
+    enable = (lib.mkEnableOption "nscd") // {default = config.services.nscd.enableNsncd;};
+  };
+
+  config = lib.mkIf cfg.enable {
+    users = {
+      users.nscd.uid = config.soispha.constants.ids.uids.nscd;
+      groups.nscd.gid = config.soispha.constants.ids.gids.nscd;
+    };
+  };
+}
diff --git a/modules/by-name/oo/oomd/module.nix b/modules/by-name/oo/oomd/module.nix
new file mode 100644
index 00000000..ca332939
--- /dev/null
+++ b/modules/by-name/oo/oomd/module.nix
@@ -0,0 +1,18 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.soispha.systemd.oomd;
+in {
+  options.soispha.systemd.oomd = {
+    enable = (lib.mkEnableOption "oomd") // {default = config.systemd.oomd.enable;};
+  };
+
+  config = lib.mkIf cfg.enable {
+    users = {
+      users.systemd-oom.uid = config.soispha.constants.ids.uids.systemd-oom;
+      groups.systemd-oom.gid = config.soispha.constants.ids.gids.systemd-oom;
+    };
+  };
+}
diff --git a/modules/by-name/op/openssh/module.nix b/modules/by-name/op/openssh/module.nix
index 97cf7fd7..f77c357b 100644
--- a/modules/by-name/op/openssh/module.nix
+++ b/modules/by-name/op/openssh/module.nix
@@ -7,18 +7,36 @@
 #
 # You should have received a copy of the License along with this program.
 # If not, see <https://www.gnu.org/licenses/gpl-3.0.txt>.
-{...}: {
-  services.openssh = {
-    enable = true;
-    hostKeys = [
-      {
-        path = "/srv/sshd/ssh_host_ed25519_key";
-        rounds = 1000;
-        type = "ed25519";
-      }
-    ];
-    settings = {
-      PasswordAuthentication = false;
+{
+  config,
+  lib,
+  libraries,
+  ...
+}: let
+  cfg = config.soispha.services.openssh;
+in {
+  options.soispha.services.openssh = {
+    enable = libraries.base.options.mkEnable "openssh";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.openssh = {
+      enable = true;
+      hostKeys = [
+        {
+          path = "/srv/sshd/ssh_host_ed25519_key";
+          rounds = 1000;
+          type = "ed25519";
+        }
+      ];
+
+      settings = {
+        PasswordAuthentication = false;
+      };
+    };
+    users = {
+      users.sshd.uid = config.soispha.constants.ids.uids.sshd;
+      groups.sshd.gid = config.soispha.constants.ids.gids.sshd;
     };
   };
 }
diff --git a/modules/by-name/po/polkit/module.nix b/modules/by-name/po/polkit/module.nix
index c6d1c750..d8dd51b0 100644
--- a/modules/by-name/po/polkit/module.nix
+++ b/modules/by-name/po/polkit/module.nix
@@ -17,7 +17,10 @@ in {
   options.soispha.polkit = {
     enable = lib.mkEnableOption "polkit";
   };
+
   config = lib.mkIf cfg.enable {
     security.polkit.enable = true;
+
+    users.groups.polkituser.gid = config.soispha.constants.ids.gids.polkituser;
   };
 }
diff --git a/modules/by-name/pr/printing/module.nix b/modules/by-name/pr/printing/module.nix
index c3283cbf..2e230570 100644
--- a/modules/by-name/pr/printing/module.nix
+++ b/modules/by-name/pr/printing/module.nix
@@ -30,6 +30,12 @@ in {
       openFirewall = true;
     };
 
+    users = {
+      users.avahi.uid = config.soispha.constants.ids.uids.avahi;
+      groups.avahi.gid = config.soispha.constants.ids.gids.avahi;
+      groups.lpadmin.gid = config.soispha.constants.ids.gids.lpadmin;
+    };
+
     services.printing = {
       enable = true;
       startWhenNeeded = true;
diff --git a/modules/by-name/re/resolvconf/module.nix b/modules/by-name/re/resolvconf/module.nix
new file mode 100644
index 00000000..e1817e2b
--- /dev/null
+++ b/modules/by-name/re/resolvconf/module.nix
@@ -0,0 +1,15 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.soispha.resolvconf;
+in {
+  options.soispha.resolvconf = {
+    enable = lib.mkEnableOption "resolvconf" // {default = config.networking.resolvconf.enable;};
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.groups.resolvconf.gid = config.soispha.constants.ids.gids.resolvconf;
+  };
+}
diff --git a/modules/by-name/so/sound/module.nix b/modules/by-name/so/sound/module.nix
index 622cc01d..404de050 100644
--- a/modules/by-name/so/sound/module.nix
+++ b/modules/by-name/so/sound/module.nix
@@ -30,6 +30,11 @@ in {
       jack.enable = true;
     };
 
+    users = {
+      users.rtkit.uid = config.soispha.constants.ids.uids.rtkit;
+      groups.rtkit.gid = config.soispha.constants.ids.gids.rtkit;
+    };
+
     # TODO: Find a better way to set the default volume <2024-03-10>
     #
     # environment.etc.pipewire-pulse-config = {