nixpkgs/nixos/modules/misc/ids.nix
talyz bb7ad853fb nixos/haproxy: Revive the haproxy user and group
Running haproxy with "DynamicUser = true" doesn't really work, since
it prohibits specifying a TLS certificate bundle with limited
permissions. This revives the haproxy user and group, but makes them
dynamically allocated by NixOS, rather than statically allocated. It
also adds options to specify which user and group haproxy runs as.
2020-03-11 19:52:37 +01:00

663 lines
16 KiB
Nix

# This module defines the global list of uids and gids. We keep a
# central list to prevent id collisions.
# IMPORTANT!
# We only add static uids and gids for services where it is not feasible
# to change uids/gids on service start, in example a service with a lot of
# files. Please also check if the service is applicable for systemd's
# DynamicUser option and does not need a uid/gid allocation at all.
# Systemd can also change ownership of service directories using the
# RuntimeDirectory/StateDirectory options.
{ lib, ... }:
let
inherit (lib) types;
in
{
options = {
ids.uids = lib.mkOption {
internal = true;
description = ''
The user IDs used in NixOS.
'';
type = types.attrsOf types.int;
};
ids.gids = lib.mkOption {
internal = true;
description = ''
The group IDs used in NixOS.
'';
type = types.attrsOf types.int;
};
};
config = {
ids.uids = {
root = 0;
#wheel = 1; # unused
#kmem = 2; # unused
#tty = 3; # unused
messagebus = 4; # D-Bus
haldaemon = 5;
#disk = 6; # unused
vsftpd = 7;
ftp = 8;
bitlbee = 9;
#avahi = 10; # removed 2019-05-22
nagios = 11;
atd = 12;
postfix = 13;
#postdrop = 14; # unused
dovecot = 15;
tomcat = 16;
#audio = 17; # unused
#floppy = 18; # unused
uucp = 19;
#lp = 20; # unused
#proc = 21; # unused
pulseaudio = 22; # must match `pulseaudio' GID
gpsd = 23;
#cdrom = 24; # unused
#tape = 25; # unused
#video = 26; # unused
#dialout = 27; # unused
polkituser = 28;
#utmp = 29; # unused
# ddclient = 30; # converted to DynamicUser = true
davfs2 = 31;
#disnix = 33; # unused
osgi = 34;
tor = 35;
cups = 36;
foldingathome = 37;
sabnzbd = 38;
#kdm = 39; # dropped in 17.03
#ghostone = 40; # dropped in 18.03
git = 41;
#fourstore = 42; # dropped in 20.03
#fourstorehttp = 43; # dropped in 20.03
virtuoso = 44;
rtkit = 45;
dovecot2 = 46;
dovenull2 = 47;
prayer = 49;
mpd = 50;
clamav = 51;
fprot = 52;
bind = 53;
wwwrun = 54;
#adm = 55; # unused
spamd = 56;
#networkmanager = 57; # unused
nslcd = 58;
scanner = 59;
nginx = 60;
chrony = 61;
#systemd-journal = 62; # unused
smtpd = 63;
smtpq = 64;
supybot = 65;
iodined = 66;
#libvirtd = 67; # unused
graphite = 68;
#statsd = 69; # removed 2018-11-14
transmission = 70;
postgres = 71;
#vboxusers = 72; # unused
#vboxsf = 73; # unused
smbguest = 74; # unused
varnish = 75;
datadog = 76;
lighttpd = 77;
lightdm = 78;
freenet = 79;
ircd = 80;
bacula = 81;
#almir = 82; # removed 2018-03-25, the almir package was removed in 30291227f2411abaca097773eedb49b8f259e297 during 2017-08
deluge = 83;
mysql = 84;
rabbitmq = 85;
activemq = 86;
gnunet = 87;
oidentd = 88;
quassel = 89;
amule = 90;
minidlna = 91;
elasticsearch = 92;
tcpcryptd = 93; # tcpcryptd uses a hard-coded uid. We patch it in Nixpkgs to match this choice.
firebird = 95;
#keys = 96; # unused
#haproxy = 97; # dynamically allocated as of 2020-03-11
mongodb = 98;
openldap = 99;
#users = 100; # unused
cgminer = 101;
munin = 102;
logcheck = 103;
nix-ssh = 104;
dictd = 105;
couchdb = 106;
searx = 107;
kippo = 108;
jenkins = 109;
systemd-journal-gateway = 110;
#notbit = 111; # unused
aerospike = 111;
ngircd = 112;
#btsync = 113; # unused
minecraft = 114;
vault = 115;
rippled = 116;
murmur = 117;
foundationdb = 118;
newrelic = 119;
starbound = 120;
hydra = 122;
spiped = 123;
teamspeak = 124;
influxdb = 125;
nsd = 126;
gitolite = 127;
znc = 128;
polipo = 129;
mopidy = 130;
#docker = 131; # unused
gdm = 132;
dhcpd = 133;
siproxd = 134;
mlmmj = 135;
neo4j = 136;
riemann = 137;
riemanndash = 138;
radvd = 139;
zookeeper = 140;
dnsmasq = 141;
uhub = 142;
yandexdisk = 143;
mxisd = 144; # was once collectd
consul = 145;
mailpile = 146;
redmine = 147;
seeks = 148;
prosody = 149;
i2pd = 150;
systemd-network = 152;
systemd-resolve = 153;
systemd-timesync = 154;
liquidsoap = 155;
etcd = 156;
hbase = 158;
opentsdb = 159;
scollector = 160;
bosun = 161;
kubernetes = 162;
peerflix = 163;
chronos = 164;
gitlab = 165;
tox-bootstrapd = 166;
cadvisor = 167;
nylon = 168;
apache-kafka = 169;
#panamax = 170; # unused
exim = 172;
#fleet = 173; # unused
#input = 174; # unused
sddm = 175;
tss = 176;
#memcached = 177; removed 2018-01-03
ntp = 179;
zabbix = 180;
#redis = 181; removed 2018-01-03
unifi = 183;
uptimed = 184;
zope2 = 185;
ripple-data-api = 186;
mediatomb = 187;
rdnssd = 188;
ihaskell = 189;
i2p = 190;
lambdabot = 191;
asterisk = 192;
plex = 193;
plexpy = 195;
grafana = 196;
skydns = 197;
# ripple-rest = 198; # unused, removed 2017-08-12
nix-serve = 199;
tvheadend = 200;
uwsgi = 201;
gitit = 202;
riemanntools = 203;
subsonic = 204;
riak = 205;
shout = 206;
gateone = 207;
namecoin = 208;
dnschain = 209;
#lxd = 210; # unused
kibana = 211;
xtreemfs = 212;
calibre-server = 213;
heapster = 214;
bepasty = 215;
# pumpio = 216; # unused, removed 2018-02-24
nm-openvpn = 217;
mathics = 218;
ejabberd = 219;
postsrsd = 220;
opendkim = 221;
dspam = 222;
gale = 223;
matrix-synapse = 224;
rspamd = 225;
# rmilter = 226; # unused, removed 2019-08-22
cfdyndns = 227;
gammu-smsd = 228;
pdnsd = 229;
octoprint = 230;
avahi-autoipd = 231;
nntp-proxy = 232;
mjpg-streamer = 233;
radicale = 234;
hydra-queue-runner = 235;
hydra-www = 236;
syncthing = 237;
caddy = 239;
taskd = 240;
# factorio = 241; # DynamicUser = true
# emby = 242; # unusued, removed 2019-05-01
graylog = 243;
sniproxy = 244;
nzbget = 245;
mosquitto = 246;
toxvpn = 247;
# squeezelite = 248; # DynamicUser = true
turnserver = 249;
smokeping = 250;
gocd-agent = 251;
gocd-server = 252;
terraria = 253;
mattermost = 254;
prometheus = 255;
telegraf = 256;
gitlab-runner = 257;
postgrey = 258;
hound = 259;
leaps = 260;
ipfs = 261;
stanchion = 262;
riak-cs = 263;
infinoted = 264;
sickbeard = 265;
headphones = 266;
couchpotato = 267;
gogs = 268;
pdns-recursor = 269;
#kresd = 270; # switched to "knot-resolver" with dynamic ID
rpc = 271;
geoip = 272;
fcron = 273;
sonarr = 274;
radarr = 275;
jackett = 276;
aria2 = 277;
clickhouse = 278;
rslsync = 279;
minio = 280;
kanboard = 281;
# pykms = 282; # DynamicUser = true
kodi = 283;
restya-board = 284;
mighttpd2 = 285;
hass = 286;
monero = 287;
ceph = 288;
duplicati = 289;
monetdb = 290;
restic = 291;
openvpn = 292;
meguca = 293;
yarn = 294;
hdfs = 295;
mapred = 296;
hadoop = 297;
hydron = 298;
cfssl = 299;
cassandra = 300;
qemu-libvirtd = 301;
# kvm = 302; # unused
# render = 303; # unused
# zeronet = 304; # removed 2019-01-03
lirc = 305;
lidarr = 306;
slurm = 307;
kapacitor = 308;
solr = 309;
alerta = 310;
minetest = 311;
rss2email = 312;
cockroachdb = 313;
zoneminder = 314;
paperless = 315;
#mailman = 316; # removed 2019-08-30
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
nixbld = 30000; # start of range of uids
nobody = 65534;
};
ids.gids = {
root = 0;
wheel = 1;
kmem = 2;
tty = 3;
messagebus = 4; # D-Bus
haldaemon = 5;
disk = 6;
vsftpd = 7;
ftp = 8;
bitlbee = 9;
#avahi = 10; # removed 2019-05-22
#nagios = 11; # unused
atd = 12;
postfix = 13;
postdrop = 14;
dovecot = 15;
tomcat = 16;
audio = 17;
floppy = 18;
uucp = 19;
lp = 20;
proc = 21;
pulseaudio = 22; # must match `pulseaudio' UID
gpsd = 23;
cdrom = 24;
tape = 25;
video = 26;
dialout = 27;
#polkituser = 28; # currently unused, polkitd doesn't need a group
utmp = 29;
# ddclient = 30; # converted to DynamicUser = true
davfs2 = 31;
disnix = 33;
osgi = 34;
tor = 35;
#cups = 36; # unused
#foldingathome = 37; # unused
#sabnzd = 38; # unused
#kdm = 39; # unused, even before 17.03
#ghostone = 40; # dropped in 18.03
git = 41;
fourstore = 42;
fourstorehttp = 43;
virtuoso = 44;
#rtkit = 45; # unused
dovecot2 = 46;
dovenull2 = 47;
prayer = 49;
mpd = 50;
clamav = 51;
fprot = 52;
#bind = 53; # unused
wwwrun = 54;
adm = 55;
spamd = 56;
networkmanager = 57;
nslcd = 58;
scanner = 59;
nginx = 60;
chrony = 61;
systemd-journal = 62;
smtpd = 63;
smtpq = 64;
supybot = 65;
iodined = 66;
libvirtd = 67;
graphite = 68;
#statsd = 69; # removed 2018-11-14
transmission = 70;
postgres = 71;
vboxusers = 72;
vboxsf = 73;
smbguest = 74; # unused
varnish = 75;
datadog = 76;
lighttpd = 77;
lightdm = 78;
freenet = 79;
ircd = 80;
bacula = 81;
#almir = 82; # removed 2018-03-25, the almir package was removed in 30291227f2411abaca097773eedb49b8f259e297 during 2017-08
deluge = 83;
mysql = 84;
rabbitmq = 85;
activemq = 86;
gnunet = 87;
oidentd = 88;
quassel = 89;
amule = 90;
minidlna = 91;
elasticsearch = 92;
#tcpcryptd = 93; # unused
firebird = 95;
keys = 96;
#haproxy = 97; # dynamically allocated as of 2020-03-11
#mongodb = 98; # unused
openldap = 99;
munin = 102;
#logcheck = 103; # unused
#nix-ssh = 104; # unused
dictd = 105;
couchdb = 106;
searx = 107;
kippo = 108;
jenkins = 109;
systemd-journal-gateway = 110;
#notbit = 111; # unused
aerospike = 111;
#ngircd = 112; # unused
#btsync = 113; # unused
#minecraft = 114; # unused
vault = 115;
#ripped = 116; # unused
#murmur = 117; # unused
foundationdb = 118;
newrelic = 119;
starbound = 120;
hydra = 122;
spiped = 123;
teamspeak = 124;
influxdb = 125;
nsd = 126;
gitolite = 127;
znc = 128;
polipo = 129;
mopidy = 130;
docker = 131;
gdm = 132;
#dhcpcd = 133; # unused
siproxd = 134;
mlmmj = 135;
#neo4j = 136; # unused
riemann = 137;
riemanndash = 138;
#radvd = 139; # unused
#zookeeper = 140; # unused
#dnsmasq = 141; # unused
uhub = 142;
#yandexdisk = 143; # unused
mxisd = 144; # was once collectd
#consul = 145; # unused
mailpile = 146;
redmine = 147;
seeks = 148;
prosody = 149;
i2pd = 150;
systemd-network = 152;
systemd-resolve = 153;
systemd-timesync = 154;
liquidsoap = 155;
#etcd = 156; # unused
hbase = 158;
opentsdb = 159;
scollector = 160;
bosun = 161;
kubernetes = 162;
#peerflix = 163; # unused
#chronos = 164; # unused
gitlab = 165;
nylon = 168;
#panamax = 170; # unused
exim = 172;
#fleet = 173; # unused
input = 174;
sddm = 175;
tss = 176;
#memcached = 177; # unused, removed 2018-01-03
#ntp = 179; # unused
zabbix = 180;
#redis = 181; # unused, removed 2018-01-03
#unifi = 183; # unused
#uptimed = 184; # unused
#zope2 = 185; # unused
#ripple-data-api = 186; #unused
mediatomb = 187;
#rdnssd = 188; # unused
ihaskell = 189;
i2p = 190;
lambdabot = 191;
asterisk = 192;
plex = 193;
sabnzbd = 194;
#grafana = 196; #unused
#skydns = 197; #unused
# ripple-rest = 198; # unused, removed 2017-08-12
#nix-serve = 199; #unused
#tvheadend = 200; #unused
uwsgi = 201;
gitit = 202;
riemanntools = 203;
subsonic = 204;
riak = 205;
#shout = 206; #unused
gateone = 207;
namecoin = 208;
#dnschain = 209; #unused
lxd = 210; # unused
#kibana = 211;
xtreemfs = 212;
calibre-server = 213;
bepasty = 215;
# pumpio = 216; # unused, removed 2018-02-24
nm-openvpn = 217;
mathics = 218;
ejabberd = 219;
postsrsd = 220;
opendkim = 221;
dspam = 222;
gale = 223;
matrix-synapse = 224;
rspamd = 225;
# rmilter = 226; # unused, removed 2019-08-22
cfdyndns = 227;
pdnsd = 229;
octoprint = 230;
radicale = 234;
syncthing = 237;
caddy = 239;
taskd = 240;
# factorio = 241; # unused
# emby = 242; # unused, removed 2019-05-01
sniproxy = 244;
nzbget = 245;
mosquitto = 246;
#toxvpn = 247; # unused
#squeezelite = 248; #unused
turnserver = 249;
smokeping = 250;
gocd-agent = 251;
gocd-server = 252;
terraria = 253;
mattermost = 254;
prometheus = 255;
#telegraf = 256; # unused
gitlab-runner = 257;
postgrey = 258;
hound = 259;
leaps = 260;
ipfs = 261;
stanchion = 262;
riak-cs = 263;
infinoted = 264;
sickbeard = 265;
headphones = 266;
couchpotato = 267;
gogs = 268;
#kresd = 270; # switched to "knot-resolver" with dynamic ID
#rpc = 271; # unused
#geoip = 272; # unused
fcron = 273;
sonarr = 274;
radarr = 275;
jackett = 276;
aria2 = 277;
clickhouse = 278;
rslsync = 279;
minio = 280;
kanboard = 281;
# pykms = 282; # DynamicUser = true
kodi = 283;
restya-board = 284;
mighttpd2 = 285;
hass = 286;
monero = 287;
ceph = 288;
duplicati = 289;
monetdb = 290;
restic = 291;
openvpn = 292;
meguca = 293;
yarn = 294;
hdfs = 295;
mapred = 296;
hadoop = 297;
hydron = 298;
cfssl = 299;
cassandra = 300;
qemu-libvirtd = 301;
kvm = 302; # default udev rules from systemd requires these
render = 303; # default udev rules from systemd requires these
# zeronet = 304; # removed 2019-01-03
lirc = 305;
lidarr = 306;
slurm = 307;
kapacitor = 308;
solr = 309;
alerta = 310;
minetest = 311;
rss2email = 312;
cockroachdb = 313;
zoneminder = 314;
paperless = 315;
#mailman = 316; # removed 2019-08-30
# When adding a gid, make sure it doesn't match an existing
# uid. Users and groups with the same name should have equal
# uids and gids. Also, don't use gids above 399!
users = 100;
nixbld = 30000;
nogroup = 65534;
};
};
}