Support user accounts managed by external identity management systems

[tomeon]

Description

This changeset introduces support in the NixOS module for entries in home-manager.users that do not have corresponding entries in users.users. The goal is to support Home Manager configurations for users provided by external identity management systems, as described in #5244, without resorting to hacks like re-specifying those users' details (UIDs, etc.) in users.users.

Checklist

• Change is backwards compatible. NOTE: this changeset alters the semantics of home-manager.useUserPackages: that option now provides the default value of the per-user option home-manager.users.<name>.home.useUserPackages, rather than globally instituting (or not) the use of users.users.<name>.packages. I believe this change is backward-compatible, given that no Home Manager NixOS module configuration will have used home-manager.users.<name>.home.useUserPackages before now, and so existing configurations will continue to globally use (or not) users.users.<name>.packages.

• Code formatted with ./format.

• Code tested through nix-shell --pure tests -A run.all
  or nix build --reference-lock-file flake.lock ./tests#test-all using Flakes.

• Test cases updated/added. See example.

• Commit messages are formatted like

  {component}: {description}
  
  {long description}
  

  See CONTRIBUTING for more information and recent commit messages for examples.

• If this PR adds a new module

  • [ ] Added myself as module maintainer. See example.

Maintainer CC

[jkachmar]

this changeset is pretty much exactly what I’m looking for; is anyone available to review or comment on why this may not be a particularly good approach?

[Guvante]

I have been testing this PR locally (after merging it with master to resolve the conflicts) and it seems to be working pretty effectively. The main downside is I didn't realize useUserPackages reintroduces a dependency on users.users (I thought it was about moving things to /etc/profile.d or something to that effect) but once I disabled that I was able to get it to work.

One issue that I am unsure is related to this or something else in my configuration (I am pretty sure this is related to my identity provider wigging out on me so I think it is unrelated) but I get the following error sometimes

warning: the following units failed: home-manager-$USER
× home-manager-$USER.service - Home Manager environment for $USER
Loaded: loaded (/etc/systemd/system/home-manager-$USER.service; enabled; preset: ignored)
Active: failed (Result: exit-code) since Sun 2025-09-21 09:47:53 PDT; 5s ago
Invocation: 23b02cd65ce0453196bae3be895c7ced
Process: 44914 ExecStart=/nix/store/2bkpj12f380wh0dfci43s6dszikdracn-hm-setup-env /nix/store/7sjslara3vrqpg4h8vicz74xwgg0gzca-home-manager-generation (code=exited, status=217/USER)
Main PID: 44914 (code=exited, status=217/USER)
IP: 0B in, 0B out
IO: 0B read, 0B written
Mem peak: 1.5M
CPU: 5ms

$timestamp $host systemd[1]: Starting Home Manager environment for $USER...
$timestamp $host (etup-env)[44914]: home-manager-$USER.service: Failed to determine user credentials: No such process
$timestamp $host (etup-env)[44914]: home-manager-$USER.service: Failed at step USER spawning /nix/store/2bkpj12f380wh0dfci43s6dszikdracn-hm-setup-env: No such process
$timestamp $host systemd[1]: $USER: Main process exited, code=exited, status=217/USER
$timestamp $host systemd[1]: $USER: Failed with result 'exit-code'.
$timestamp $host systemd[1]: Failed to start Home Manager environment for $USER.
warning: error(s) occurred while switching to the new configuration

Oddly enough when it does occur it is transient since manually running the service works

(To be clear not looking for help or anything just figured I would share the weird thing that happened when testing)

[tomeon]

@Guvante -- I have hit this same issue. I tried adding kanidm-unixd.service to the Wants and After lists of home-manager-<user>.service, but this did not solve the problem. I may try updating this PR to add support for delaying home-manager-<user>.service until <user> logs in.