systemd: enable sysusers by default

[nikstur]

Description of changes

Build systemd-sysusers by default. This is part of a larger project to remove Perl from the activation. See more details on this project here: https://pad.lassul.us/nixos-perlless-activation

I intend on using systemd-sysusers to create users and groups instead of users-groups.pl. Because changing the systemd derivation will cause a mass rebuild, I factored this into a separate PR.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.11 Release Notes (or backporting 23.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

[aanderse]

i just read through the notes you provided... sounds really cool 👍

systemd-sysusers isn't nearly as feature filled as our perl scripts... but most of that gap magically goes away with /etc as an overlayfs - awesome stuff!

[aanderse]

@nikstur - is there anywhere i can keep up to date on the developments mentioned in that pad? i would love to follow along with what y'all are working on there... 🤩

[nikstur]

@aanderse I'll list all the associated PRs in the Pad. Otherwise, you can just follow my Nixpkgs activity I guess :D

[anna328p]

Broken by d43e323

[nikstur]

Broken by d43e323

What exactly is broken?

[anna328p]

It is now impossible to enable sysusers on a system that has "normal users", meaning that any system that uses perlless activation and/or immutable /etc will fail to build.

[Mic92]

It is now impossible to enable sysusers on a system that has "normal users", meaning that any system that uses perlless activation and/or immutable /etc will fail to build.

They were not actual normal users because their uids was < 1000. So the "normal users" were a lie.

[anna328p]

Not if the uid was set manually, which was the case in my configuration.

[nikstur]

Irrespective of any workarounds, systemd-sysusers is not designed to create "normal" users. This PR makes this explicit.

However, there is another solution to this problem. Once #332719 is merged, you can use Userborn to manage your users without Perl.

[anna328p]

It is still the case that before d43e323, upon setting systemd.sysusers.enable = true; my configuration built and activated without issue; I did not notice any problems with UID assignment or password changes because, due to using a tmpfs as /, my configuration had set the UID explicitly and set the user's password using the initialHashedPassword option. After d43e323, my config did not build anymore and I needed to spend an hour tracking down a chain of poorly documented changes that had caused it.

(I was not present in whatever discussions led to this change; it feels like the general assumption is that I should have known this would happen.)

I would like to request the following changes to the assertion added in d43e323 to avoid unexpectedly breaking people's configs with no warning:

• if possible, a stopgap solution: make the assertion conditional on all normal users' options being compatible with sysusers, such as using only initialHashedPassword or equivalent and setting the UID explicitly.
• a better error message that explains what happened and what needs to be changed.

[nikstur]

I would like to request the following changes to the assertion

I'll happily review a PR.

Please understand, however, that my focus going forward will be Userborn as that's the solution to systemd-sysusers limitations.

it feels like the general assumption is that I should have known this would happen

With experimental features some breakage unfortunately has to be expected.