userborn: 0.4.0 -> 0.5.0 (#483684)

  userbornStaticFiles =

    pkgs.runCommand "static-userborn" { }

      "mkdir -p $out; ${lib.getExe cfg.package} ${userbornConfigJson} $out";

  previousConfigPath = "/var/lib/userborn/previous-userborn.json";

  immutableEtc = config.system.etc.overlay.enable && !config.system.etc.overlay.mutable;

  # The filenames created by userborn.

        # This way we don't have to re-declare all the dependencies to other

        # services again.

        aliases = [ "systemd-sysusers.service" ];

        environment = {

          USERBORN_MUTABLE_USERS = lib.boolToString userCfg.mutableUsers;

          USERBORN_PREVIOUS_CONFIG = lib.mkIf userCfg.mutableUsers previousConfigPath;

        };

        unitConfig = {

          Description = "Manage Users and Groups";

          Type = "oneshot";

          RemainAfterExit = true;

          TimeoutSec = "90s";

          StateDirectory = "userborn";

          ExecStart = "${lib.getExe cfg.package} ${userbornConfigJson} ${cfg.passwordFilesLocation}";

            ))

          ];

          ExecStartPost =

            if userCfg.mutableUsers then

              # Store the config somewhere for the next invocation

              [

                "${pkgs.coreutils}/bin/ln -sf ${userbornConfigJson} ${previousConfigPath}"

              ]

            else

              # Make the source files read-only after userborn has finished.

          ExecStartPost = lib.mkIf (!userCfg.mutableUsers) (

            lib.map (

              (lib.map (

                file:

                "${pkgs.util-linux}/bin/mount --bind -o ro ${cfg.passwordFilesLocation}/${file} ${cfg.passwordFilesLocation}/${file}"

            ) passwordFiles

          );

              ) passwordFiles);

        };

      };

    };

  meta.maintainers = with lib.maintainers; [ nikstur ];

  nodes.machine =

    { config, ... }:

    { pkgs, ... }:

    {

      imports = [ common ];

        inheritParentConfig = false;

        configuration = {

          nixpkgs = {

            inherit (config.nixpkgs) hostPlatform;

            inherit pkgs;

          };

          imports = [ common ];

  meta.maintainers = with lib.maintainers; [ nikstur ];

  nodes.machine =

    { config, ... }:

    { pkgs, ... }:

    {

      imports = [ common ];

        inheritParentConfig = false;

        configuration = {

          nixpkgs = {

            inherit (config.nixpkgs) hostPlatform;

            inherit pkgs;

          };

          imports = [ common ];

  meta.maintainers = with lib.maintainers; [ nikstur ];

  nodes.machine =

    { config, ... }:

    { pkgs, ... }:

    {

      imports = [ common ];

        inheritParentConfig = false;

        configuration = {

          nixpkgs = {

            inherit (config.nixpkgs) hostPlatform;

            inherit pkgs;

          };

          imports = [ common ];

  meta.maintainers = with lib.maintainers; [ nikstur ];

  nodes.machine =

    { config, ... }:

    { pkgs, ... }:

    {

      imports = [ common ];

        inheritParentConfig = false;

        configuration = {

          nixpkgs = {

            inherit (config.nixpkgs) hostPlatform;

            inherit pkgs;

          };

          imports = [ common ];

            new-normalo = {

              isNormalUser = true;

            };

            mutable-to-declarative = {

              isNormalUser = true;

              description = "I'm now declaratively managed";

            };

          };

        };

      };

      assert 1000 == int(machine.succeed("id --user normalo")), "normalo user doesn't have UID 1000"

      assert "${normaloHashedPassword}" in machine.succeed("getent shadow normalo"), "normalo user password is not correct"

    with subtest("Add new user manually"):

    with subtest("Add new user manual-normalo manually"):

      machine.succeed("useradd manual-normalo")

      assert 1001 == int(machine.succeed("id --user manual-normalo")), "manual-normalo user doesn't have UID 1001"

    with subtest("Delete manual--normalo user manually"):

      machine.succeed("userdel manual-normalo")

    with subtest("Add new user mutable-to-declarative manually"):

      machine.succeed("useradd --comment 'I was created imperatively' mutable-to-declarative")

      assert 1002 == int(machine.succeed("id --user mutable-to-declarative")), "mutable-to-declarative user doesn't have UID 1002"

    machine.succeed("/run/current-system/specialisation/new-generation/bin/switch-to-configuration switch")

    with subtest("manual-normalo user is still enabled"):

      manual_normalo_shadow = machine.succeed("getent shadow manual-normalo")

      print(manual_normalo_shadow)

      t.assertNotIn("!*", manual_normalo_shadow, "manual-normalo user is falsely disabled")

    with subtest("mutable-to-declarative user description has changed"):

      mutable_to_declarative_passwd = machine.succeed("getent passwd mutable-to-declarative")

      print(mutable_to_declarative_passwd)

      t.assertIn("I'm now declaratively managed", mutable_to_declarative_passwd, "mutable-to-declarative user description is unchanged")

    with subtest("normalo user is disabled"):

      print(machine.succeed("getent shadow normalo"))

    with subtest("new-normalo user is created after switching to new generation"):

      print(machine.succeed("getent passwd new-normalo"))

      assert 1001 == int(machine.succeed("id --user new-normalo")), "new-normalo user doesn't have UID 1001"

      assert 1003 == int(machine.succeed("id --user new-normalo")), "new-normalo user doesn't have UID 1003"

    with subtest("Delete manual-normalo user manually"):

      machine.succeed("userdel manual-normalo")

  '';

}