Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/users-groups: dump values of password options if multiple options have definitions #349308

Merged
merged 1 commit into from
Oct 31, 2024
Merged

nixos/users-groups: dump values of password options if multiple options have definitions #349308

merged 1 commit into from
Oct 31, 2024

Conversation

Ma27
Copy link
Member

@Ma27 Ma27 commented Oct 17, 2024

This was suggested since it might make it a little easier to identify the places where the definitions come from.

Retrieving the effective definitions from the module-system seems non-trivial, especially for submodules though, hence only the values are shown for now.

I'd argue that especially the password option are mostly a convenience thing for test setups. If the password is an actual secret, it should be treated as such, i.e. hashedPasswordFile should be used.

For the shadow VM test, the new section of the warning looks like this:

The values of these options are:
* users.users."leo".hashedPassword: "$6$ymzs8WINZ5wGwQcV$VC2S0cQiX8NVukOLymysTPn4v1zJoJp3NGyhnqyv/dAf4NWZsBWYveQcj6gEJr4ZUjRBRjM0Pj1L8TCQ8hUUp0"
* users.users."leo".hashedPasswordFile: null
* users.users."leo".password: null
* users.users."leo".initialHashedPassword: "!"
* users.users."leo".initialPassword: null

cc @K900 who brought up the suggestion
cc @infinisil because I'd be curious if there's a reasonable way to obtain definition locations for use-cases like this from options in submodules. I haven't found any.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@Ma27
nixos/users-groups: dump values of password options if multiple optio…
7cb22a0 
…ns have definitions

This was suggested since it might make it a little easier to identify
the places where the definitions come from.

Retrieving the effective definitions from the module-system seems
non-trivial, especially for submodules though, hence only the values are
shown for now.

I'd argue that especially the `password` option are mostly a convenience
thing for test setups. If the password is an actual secret, it should be
treated as such, i.e. `hashedPasswordFile` should be used.

For the `shadow` VM test, the new section of the warning looks like
this:

    The values of these options are:
    * users.users."leo".hashedPassword: "$6$ymzs8WINZ5wGwQcV$VC2S0cQiX8NVukOLymysTPn4v1zJoJp3NGyhnqyv/dAf4NWZsBWYveQcj6gEJr4ZUjRBRjM0Pj1L8TCQ8hUUp0"
    * users.users."leo".hashedPasswordFile: null
    * users.users."leo".password: null
    * users.users."leo".initialHashedPassword: "!"
    * users.users."leo".initialPassword: null
@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Oct 17, 2024
K900
K900 approved these changes Oct 17, 2024
View reviewed changes
Copy link
Contributor

@K900 K900 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Maybe we should hide passwords, but eh.

@Ma27
Copy link
Member Author

Ma27 commented Oct 17, 2024

Maybe we should hide passwords, but eh.

I mean, password should only be used for testing environments anyways (and if it's used, there's no point in suppressing it then in e.g. CI logs I'd argue).

Fine with being overruled on that, though.

@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Oct 17, 2024
@wegank wegank added the 12.approvals: 1 This PR was reviewed and approved by one reputable person label Oct 19, 2024
@Ma27
Copy link
Member Author

Ma27 commented Oct 27, 2024

Given that we print out declarations in other places as well, I think the way this is done, is alright.
Would merge in a few days unless people bring up reservations about this change.

@Ma27 Ma27 merged commit 9c9b193 into NixOS:master Oct 31, 2024
28 checks passed
@Ma27 Ma27 deleted the dump-values-of-users.users-warning branch October 31, 2024 09:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@K900 K900 K900 approved these changes

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 12.approvals: 1 This PR was reviewed and approved by one reputable person
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Ma27 @K900 @wegank