nixos: reserve some uids/gids #2109
Conversation
|
I'll note this conflicts with #2103 but I'll rebase which-ever happens to be merged first. |
|
At Zalora we're using something like: { config, pkgs, ... }:
let
#!!! When deleting a user, don't reuse uids
# unless you know what you're doing
uids = {
# service name -> small number mapping here
# e.g. foundationdb = 1;
};
in {
options = {
zalora.daemonUids = pkgs.lib.mkOption {
description = "uids for zalora daemon users.";
internal = true;
type = pkgs.lib.types.attrsOf pkgs.lib.types.int;
};
};
config = {
zalora.daemonUids = pkgs.lib.mapAttrs (name: value: 1000 - value) uids;
};
}@edolstra Any thoughts on if there's anything we can do upstream to make this kind of thing nicer? I guess username->uid hashing might help. |
|
So, I asked @edolstra the other day about this, and he said reserving UIDs in this case is fine. In my case, the software is (mostly) publicly available, just with a non-free license, and the packages/modules will be available in my nixpkgs branch as right now, unfree modules are (mostly) unwelcome. Hence having UIDs/GIDs upstream greatly simplifies keeping the branches rebased (otherwise, merges get complex as IDs change, and then permissions get botched on But I don't know what to do in the more general, this-service-is-really-proprietary-but-I-need-an-ID case. Hashing is one option. Another is to actually reserve a part of the ID space for non-upstream needs (say all UIDs/GIDs in the range [2^15, 2^16] and provide a slightly different API for mapping private ids to this ID space.) |
I have some NixOS modules that I keep out of tree, and having UIDs/GIDs reserved is quite helpful. Signed-off-by: Austin Seipp <aseipp@pobox.com>
nixos: reserve some uids/gids (#2109)
I have some NixOS modules for unfree software that I keep out of tree, and having UIDs/GIDs reserved is quite helpful to keep the branches sane.