Commit c4329104 authored Feb 13, 2026 by Scott Stephens

nixos/tpm2: create tss user and group if either is required

We only want to create users and groups in the module if they are the module defaults; if a user is specifying something else, we can presume that they are creating that themselves and don't want to conflict.

The previous implementation caused problems when the module was configured to use the /dev/tpmrm0 kernel resource manager. In this configuration, /dev/tpmrm0 would be owned by root, but in the group tss, which caused there to be no tss user created. This in turn caused the tss group to be a "normal" group, not a system group, and udev does not assign devices to normal groups. Unfortunately, there is no isSystemGroup option corresponding to the isSystemUser option. To avoid messing with the user system, we add the tss user if we need the group.

resolves #489756

parent b1fb31f3

nixos/modules/security/tpm2.nix

+2 −2

Original line number	Diff line number	Diff line
		@@ -276,11 +276,11 @@ in
		services.udev.extraRules = lib.mkIf cfg.applyUdevRules (udevRules cfg.tssUser cfg.tssGroup);

		# Create the tss user and group only if the default value is used
		users.users.${cfg.tssUser} = lib.mkIf (cfg.tssUser == "tss") {
		users.users.tss = lib.mkIf (cfg.tssUser == "tss" \|\| cfg.tssGroup == "tss") {
		isSystemUser = true;
		group = "tss";
		};
		users.groups.${cfg.tssGroup} = lib.mkIf (cfg.tssGroup == "tss") { };
		users.groups.tss = lib.mkIf (cfg.tssUser == "tss" \|\| cfg.tssGroup == "tss") { };

		environment.variables = lib.mkIf cfg.tctiEnvironment.enable (
		lib.attrsets.genAttrs