diff options
| author | Janne Heß <janne@hess.ooo> | 2019-10-12 22:25:28 +0200 |
|---|---|---|
| committer | Janne Heß <janne@hess.ooo> | 2019-10-12 22:25:28 +0200 |
| commit | d6c08776ba620b7822bd0f0b8614a329ce8157e2 (patch) | |
| tree | bb2a64407ed5aa062f68239dfd7bfbb2bede6a4d /nixos/modules/services | |
| parent | d4f085036b34cba3c60cc8c9ee7d9db965404b1f (diff) | |
| download | nixpkgs-d6c08776ba620b7822bd0f0b8614a329ce8157e2.tar nixpkgs-d6c08776ba620b7822bd0f0b8614a329ce8157e2.tar.gz nixpkgs-d6c08776ba620b7822bd0f0b8614a329ce8157e2.tar.bz2 nixpkgs-d6c08776ba620b7822bd0f0b8614a329ce8157e2.tar.lz nixpkgs-d6c08776ba620b7822bd0f0b8614a329ce8157e2.tar.xz nixpkgs-d6c08776ba620b7822bd0f0b8614a329ce8157e2.tar.zst nixpkgs-d6c08776ba620b7822bd0f0b8614a329ce8157e2.zip | |
treewide: Switch to system users
Diffstat (limited to 'nixos/modules/services')
47 files changed, 80 insertions, 17 deletions
diff --git a/nixos/modules/services/admin/oxidized.nix b/nixos/modules/services/admin/oxidized.nix index 39112c3970d..da81be3f23e 100644 --- a/nixos/modules/services/admin/oxidized.nix +++ b/nixos/modules/services/admin/oxidized.nix @@ -89,6 +89,7 @@ in group = cfg.group; home = cfg.dataDir; createHome = true; + isSystemUser = true; }; systemd.services.oxidized = { diff --git a/nixos/modules/services/audio/jack.nix b/nixos/modules/services/audio/jack.nix index aa3351f401a..ceff366d0bb 100644 --- a/nixos/modules/services/audio/jack.nix +++ b/nixos/modules/services/audio/jack.nix @@ -223,6 +223,7 @@ in { group = "jackaudio"; extraGroups = [ "audio" ]; description = "JACK Audio system service user"; + isSystemUser = true; }; # http://jackaudio.org/faq/linux_rt_config.html security.pam.loginLimits = [ diff --git a/nixos/modules/services/backup/automysqlbackup.nix b/nixos/modules/services/backup/automysqlbackup.nix index 1884f3536a9..e3a8d1f7993 100644 --- a/nixos/modules/services/backup/automysqlbackup.nix +++ b/nixos/modules/services/backup/automysqlbackup.nix @@ -99,7 +99,10 @@ in environment.systemPackages = [ pkg ]; - users.users.${user}.group = group; + users.users.${user} = { + group = group; + isSystemUser = true; + }; users.groups.${group} = { }; systemd.tmpfiles.rules = [ diff --git a/nixos/modules/services/backup/borgbackup.nix b/nixos/modules/services/backup/borgbackup.nix index 2ad116a7872..9080f2a170a 100644 --- a/nixos/modules/services/backup/borgbackup.nix +++ b/nixos/modules/services/backup/borgbackup.nix @@ -106,7 +106,7 @@ let nameValuePair "borgbackup-job-${name}" (stringAfter [ "users" ] ('' # Eensure that the home directory already exists # We can't assert createHome == true because that's not the case for root - cd "${config.users.users.${cfg.user}.home}" + cd "${config.users.users.${cfg.user}.home}" ${install} -d .config/borg ${install} -d .cache/borg '' + optionalString (isLocalPath cfg.repo) '' diff --git a/nixos/modules/services/continuous-integration/buildkite-agent.nix b/nixos/modules/services/continuous-integration/buildkite-agent.nix index 12cc3d2b1cc..32f361454bc 100644 --- a/nixos/modules/services/continuous-integration/buildkite-agent.nix +++ b/nixos/modules/services/continuous-integration/buildkite-agent.nix @@ -191,6 +191,7 @@ in createHome = true; description = "Buildkite agent user"; extraGroups = [ "keys" ]; + isSystemUser = true; }; environment.systemPackages = [ cfg.package ]; diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 9c389d80a6d..df4e01fd98f 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -194,7 +194,10 @@ in allowedTCPPorts = [ cfg.port ]; }; - users.users.redis.description = "Redis database user"; + users.users.redis = { + description = "Redis database user"; + isSystemUser = true; + }; environment.systemPackages = [ cfg.package ]; diff --git a/nixos/modules/services/databases/rethinkdb.nix b/nixos/modules/services/databases/rethinkdb.nix index 4828e594b32..f18fbaf5b06 100644 --- a/nixos/modules/services/databases/rethinkdb.nix +++ b/nixos/modules/services/databases/rethinkdb.nix @@ -99,6 +99,7 @@ in users.users.rethinkdb = mkIf (cfg.user == "rethinkdb") { name = "rethinkdb"; description = "RethinkDB server user"; + isSystemUser = true; }; users.groups = optionalAttrs (cfg.group == "rethinkdb") (singleton diff --git a/nixos/modules/services/editors/infinoted.nix b/nixos/modules/services/editors/infinoted.nix index 9cc8d421270..be366761694 100644 --- a/nixos/modules/services/editors/infinoted.nix +++ b/nixos/modules/services/editors/infinoted.nix @@ -115,6 +115,7 @@ in { { name = "infinoted"; description = "Infinoted user"; group = cfg.group; + isSystemUser = true; }; users.groups = optional (cfg.group == "infinoted") { name = "infinoted"; diff --git a/nixos/modules/services/hardware/trezord.nix b/nixos/modules/services/hardware/trezord.nix index 62824ed7350..f6931d0b51a 100644 --- a/nixos/modules/services/hardware/trezord.nix +++ b/nixos/modules/services/hardware/trezord.nix @@ -74,6 +74,7 @@ in { users.users.trezord = { group = "trezord"; description = "Trezor bridge daemon user"; + isSystemUser = true; }; users.groups.trezord = {}; diff --git a/nixos/modules/services/hardware/usbmuxd.nix b/nixos/modules/services/hardware/usbmuxd.nix index 93ced0b9f04..39bbcaf4627 100644 --- a/nixos/modules/services/hardware/usbmuxd.nix +++ b/nixos/modules/services/hardware/usbmuxd.nix @@ -47,6 +47,7 @@ in name = cfg.user; description = "usbmuxd user"; group = cfg.group; + isSystemUser = true; }; users.groups = optional (cfg.group == defaultUserGroup) { diff --git a/nixos/modules/services/hardware/vdr.nix b/nixos/modules/services/hardware/vdr.nix index 6e246f70f51..8a6cde51b06 100644 --- a/nixos/modules/services/hardware/vdr.nix +++ b/nixos/modules/services/hardware/vdr.nix @@ -66,6 +66,7 @@ in { users.users.vdr = { group = "vdr"; home = libDir; + isSystemUser = true; }; users.groups.vdr = {}; diff --git a/nixos/modules/services/mail/mailhog.nix b/nixos/modules/services/mail/mailhog.nix index b78f4c8e0e6..0f998c6d0ea 100644 --- a/nixos/modules/services/mail/mailhog.nix +++ b/nixos/modules/services/mail/mailhog.nix @@ -27,6 +27,7 @@ in { users.users.mailhog = { name = cfg.user; description = "MailHog service user"; + isSystemUser = true; }; systemd.services.mailhog = { diff --git a/nixos/modules/services/misc/airsonic.nix b/nixos/modules/services/misc/airsonic.nix index 919d3b2f6e6..c296e048cea 100644 --- a/nixos/modules/services/misc/airsonic.nix +++ b/nixos/modules/services/misc/airsonic.nix @@ -148,6 +148,7 @@ in { name = cfg.user; home = cfg.home; createHome = true; + isSystemUser = true; }; }; } diff --git a/nixos/modules/services/misc/docker-registry.nix b/nixos/modules/services/misc/docker-registry.nix index c87607d2666..89bac4f47d7 100644 --- a/nixos/modules/services/misc/docker-registry.nix +++ b/nixos/modules/services/misc/docker-registry.nix @@ -145,11 +145,13 @@ in { }; users.users.docker-registry = - if cfg.storagePath != null + (if cfg.storagePath != null then { createHome = true; home = cfg.storagePath; } - else {}; + else {}) // { + isSystemUser = true; + }; }; } diff --git a/nixos/modules/services/misc/errbot.nix b/nixos/modules/services/misc/errbot.nix index 256adce2f02..b447ba5d438 100644 --- a/nixos/modules/services/misc/errbot.nix +++ b/nixos/modules/services/misc/errbot.nix @@ -76,7 +76,10 @@ in { }; config = mkIf (cfg.instances != {}) { - users.users.errbot.group = "errbot"; + users.users.errbot = { + group = "errbot"; + isSystemUser = true; + }; users.groups.errbot = {}; systemd.services = mapAttrs' (name: instanceCfg: nameValuePair "errbot-${name}" ( diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index 4992b13c9d4..c8c59fb256e 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -409,6 +409,7 @@ in home = cfg.stateDir; useDefaultShell = true; group = "gitea"; + isSystemUser = true; }; }; diff --git a/nixos/modules/services/misc/gollum.nix b/nixos/modules/services/misc/gollum.nix index 7653b415bf0..f4a9c72b154 100644 --- a/nixos/modules/services/misc/gollum.nix +++ b/nixos/modules/services/misc/gollum.nix @@ -71,6 +71,7 @@ in group = config.users.users.gollum.name; description = "Gollum user"; createHome = false; + isSystemUser = true; }; users.groups.gollum = { }; diff --git a/nixos/modules/services/misc/jellyfin.nix b/nixos/modules/services/misc/jellyfin.nix index 55559206568..6ecdfb57dc3 100644 --- a/nixos/modules/services/misc/jellyfin.nix +++ b/nixos/modules/services/misc/jellyfin.nix @@ -41,7 +41,10 @@ in }; users.users = mkIf (cfg.user == "jellyfin") { - jellyfin.group = cfg.group; + jellyfin = { + group = cfg.group; + isSystemUser = true; + }; }; users.groups = mkIf (cfg.group == "jellyfin") { diff --git a/nixos/modules/services/misc/osrm.nix b/nixos/modules/services/misc/osrm.nix index f89f37ccd9d..79c347ab7e0 100644 --- a/nixos/modules/services/misc/osrm.nix +++ b/nixos/modules/services/misc/osrm.nix @@ -59,6 +59,7 @@ in group = config.users.users.osrm.name; description = "OSRM user"; createHome = false; + isSystemUser = true; }; users.groups.osrm = { }; diff --git a/nixos/modules/services/monitoring/collectd.nix b/nixos/modules/services/monitoring/collectd.nix index 6a4c678eb21..d4b605d6217 100644 --- a/nixos/modules/services/monitoring/collectd.nix +++ b/nixos/modules/services/monitoring/collectd.nix @@ -98,6 +98,7 @@ in { users.users = optional (cfg.user == "collectd") { name = "collectd"; + isSystemUser = true; }; }; } diff --git a/nixos/modules/services/monitoring/fusion-inventory.nix b/nixos/modules/services/monitoring/fusion-inventory.nix index b90579bb70c..fe19ed56195 100644 --- a/nixos/modules/services/monitoring/fusion-inventory.nix +++ b/nixos/modules/services/monitoring/fusion-inventory.nix @@ -49,6 +49,7 @@ in { users.users = singleton { name = "fusion-inventory"; description = "FusionInventory user"; + isSystemUser = true; }; systemd.services.fusion-inventory = { diff --git a/nixos/modules/services/monitoring/netdata.nix b/nixos/modules/services/monitoring/netdata.nix index 463b1b882ac..7d976db9630 100644 --- a/nixos/modules/services/monitoring/netdata.nix +++ b/nixos/modules/services/monitoring/netdata.nix @@ -181,6 +181,7 @@ in { users.users = optional (cfg.user == defaultUser) { name = defaultUser; + isSystemUser = true; }; users.groups = optional (cfg.group == defaultUser) { diff --git a/nixos/modules/services/monitoring/zabbix-agent.nix b/nixos/modules/services/monitoring/zabbix-agent.nix index 856b9432892..b3383ed628b 100644 --- a/nixos/modules/services/monitoring/zabbix-agent.nix +++ b/nixos/modules/services/monitoring/zabbix-agent.nix @@ -131,6 +131,7 @@ in users.users.${user} = { description = "Zabbix Agent daemon user"; inherit group; + isSystemUser = true; }; users.groups.${group} = { }; diff --git a/nixos/modules/services/networking/bitcoind.nix b/nixos/modules/services/networking/bitcoind.nix index 1439d739da9..90f1291c019 100644 --- a/nixos/modules/services/networking/bitcoind.nix +++ b/nixos/modules/services/networking/bitcoind.nix @@ -187,6 +187,7 @@ in { group = cfg.group; description = "Bitcoin daemon user"; home = cfg.dataDir; + isSystemUser = true; }; users.groups.${cfg.group} = { name = cfg.group; diff --git a/nixos/modules/services/networking/dnscache.nix b/nixos/modules/services/networking/dnscache.nix index 5051fc916d9..d123bca9321 100644 --- a/nixos/modules/services/networking/dnscache.nix +++ b/nixos/modules/services/networking/dnscache.nix @@ -84,7 +84,7 @@ in { config = mkIf config.services.dnscache.enable { environment.systemPackages = [ pkgs.djbdns ]; - users.users.dnscache = {}; + users.users.dnscache.isSystemUser = true; systemd.services.dnscache = { description = "djbdns dnscache server"; diff --git a/nixos/modules/services/networking/dnscrypt-wrapper.nix b/nixos/modules/services/networking/dnscrypt-wrapper.nix index bf13d5c6f5f..79f9e1a4308 100644 --- a/nixos/modules/services/networking/dnscrypt-wrapper.nix +++ b/nixos/modules/services/networking/dnscrypt-wrapper.nix @@ -142,6 +142,7 @@ in { description = "dnscrypt-wrapper daemon user"; home = "${dataDir}"; createHome = true; + isSystemUser = true; }; users.groups.dnscrypt-wrapper = { }; diff --git a/nixos/modules/services/networking/hans.nix b/nixos/modules/services/networking/hans.nix index 20e57e4626e..4f60300f5ff 100644 --- a/nixos/modules/services/networking/hans.nix +++ b/nixos/modules/services/networking/hans.nix @@ -138,6 +138,7 @@ in users.users = singleton { name = hansUser; description = "Hans daemon user"; + isSystemUser = true; }; }; diff --git a/nixos/modules/services/networking/matterbridge.nix b/nixos/modules/services/networking/matterbridge.nix index 1fd63348c16..682eaa6eb29 100644 --- a/nixos/modules/services/networking/matterbridge.nix +++ b/nixos/modules/services/networking/matterbridge.nix @@ -95,6 +95,7 @@ in users.users = optional (cfg.user == "matterbridge") { name = "matterbridge"; group = "matterbridge"; + isSystemUser = true; }; users.groups = optional (cfg.group == "matterbridge") diff --git a/nixos/modules/services/networking/morty.nix b/nixos/modules/services/networking/morty.nix index 1b3084fe9ab..e3a6444c116 100644 --- a/nixos/modules/services/networking/morty.nix +++ b/nixos/modules/services/networking/morty.nix @@ -74,6 +74,7 @@ in { description = "Morty user"; createHome = true; home = "/var/lib/morty"; + isSystemUser = true; }; systemd.services.morty = diff --git a/nixos/modules/services/networking/nghttpx/default.nix b/nixos/modules/services/networking/nghttpx/default.nix index d6e1906e388..881a2670f5d 100644 --- a/nixos/modules/services/networking/nghttpx/default.nix +++ b/nixos/modules/services/networking/nghttpx/default.nix @@ -96,6 +96,7 @@ in users.groups.nghttpx = { }; users.users.nghttpx = { group = config.users.groups.nghttpx.name; + isSystemUser = true; }; diff --git a/nixos/modules/services/networking/owamp.nix b/nixos/modules/services/networking/owamp.nix index 821a0258f4b..dbb2e3b4c40 100644 --- a/nixos/modules/services/networking/owamp.nix +++ b/nixos/modules/services/networking/owamp.nix @@ -21,6 +21,7 @@ in name = "owamp"; group = "owamp"; description = "Owamp daemon"; + isSystemUser = true; }; users.groups = singleton { diff --git a/nixos/modules/services/networking/thelounge.nix b/nixos/modules/services/networking/thelounge.nix index b1d23372955..875d8f66169 100644 --- a/nixos/modules/services/networking/thelounge.nix +++ b/nixos/modules/services/networking/thelounge.nix @@ -56,6 +56,7 @@ in { users.users.thelounge = { description = "thelounge service user"; group = "thelounge"; + isSystemUser = true; }; users.groups.thelounge = {}; systemd.services.thelounge = { diff --git a/nixos/modules/services/networking/tinydns.nix b/nixos/modules/services/networking/tinydns.nix index 7d5db71601e..7b2c464ab46 100644 --- a/nixos/modules/services/networking/tinydns.nix +++ b/nixos/modules/services/networking/tinydns.nix @@ -32,7 +32,7 @@ with lib; config = mkIf config.services.tinydns.enable { environment.systemPackages = [ pkgs.djbdns ]; - users.users.tinydns = {}; + users.users.tinydns.isSystemUser = true; systemd.services.tinydns = { description = "djbdns tinydns server"; diff --git a/nixos/modules/services/scheduling/marathon.nix b/nixos/modules/services/scheduling/marathon.nix index 0961a67770e..2e0d20c64b2 100644 --- a/nixos/modules/services/scheduling/marathon.nix +++ b/nixos/modules/services/scheduling/marathon.nix @@ -93,6 +93,6 @@ in { }; }; - users.users.${cfg.user} = { }; + users.users.${cfg.user}.isSystemUser = true; }; } diff --git a/nixos/modules/services/security/bitwarden_rs/default.nix b/nixos/modules/services/security/bitwarden_rs/default.nix index 80fd65891ff..d1817db0755 100644 --- a/nixos/modules/services/security/bitwarden_rs/default.nix +++ b/nixos/modules/services/security/bitwarden_rs/default.nix @@ -74,7 +74,10 @@ in { webVaultEnabled = mkDefault true; }; - users.users.bitwarden_rs = { inherit group; }; + users.users.bitwarden_rs = { + inherit group; + isSystemUser = true; + }; users.groups.bitwarden_rs = { }; systemd.services.bitwarden_rs = { diff --git a/nixos/modules/services/security/oauth2_proxy.nix b/nixos/modules/services/security/oauth2_proxy.nix index bb03f7fc9e4..2abb9ec32ac 100644 --- a/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixos/modules/services/security/oauth2_proxy.nix @@ -546,6 +546,7 @@ in users.users.oauth2_proxy = { description = "OAuth2 Proxy"; + isSystemUser = true; }; systemd.services.oauth2_proxy = { diff --git a/nixos/modules/services/torrent/magnetico.nix b/nixos/modules/services/torrent/magnetico.nix index 02fa2ac0750..a7acdb78b31 100644 --- a/nixos/modules/services/torrent/magnetico.nix +++ b/nixos/modules/services/torrent/magnetico.nix @@ -171,6 +171,7 @@ in { users.users.magnetico = { description = "Magnetico daemons user"; + isSystemUser = true; }; systemd.services.magneticod = { diff --git a/nixos/modules/services/web-apps/codimd.nix b/nixos/modules/services/web-apps/codimd.nix index 7ae7cd9c52d..5f56f8ed5a0 100644 --- a/nixos/modules/services/web-apps/codimd.nix +++ b/nixos/modules/services/web-apps/codimd.nix @@ -893,6 +893,7 @@ in extraGroups = cfg.groups; home = cfg.workDir; createHome = true; + isSystemUser = true; }; systemd.services.codimd = { diff --git a/nixos/modules/services/web-apps/frab.nix b/nixos/modules/services/web-apps/frab.nix index 7914e5cc0ee..a9a30b40922 100644 --- a/nixos/modules/services/web-apps/frab.nix +++ b/nixos/modules/services/web-apps/frab.nix @@ -177,6 +177,7 @@ in { name = cfg.user; group = cfg.group; home = "${cfg.statePath}"; + isSystemUser = true; } ]; diff --git a/nixos/modules/services/web-apps/limesurvey.nix b/nixos/modules/services/web-apps/limesurvey.nix index 68b57a9b90d..bd524524130 100644 --- a/nixos/modules/services/web-apps/limesurvey.nix +++ b/nixos/modules/services/web-apps/limesurvey.nix @@ -277,7 +277,10 @@ in systemd.services.httpd.after = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service"; - users.users.${user}.group = group; + users.users.${user} = { + group = group; + isSystemUser = true; + }; }; } diff --git a/nixos/modules/services/web-apps/mediawiki.nix b/nixos/modules/services/web-apps/mediawiki.nix index ec2568bf952..43edc04e1a4 100644 --- a/nixos/modules/services/web-apps/mediawiki.nix +++ b/nixos/modules/services/web-apps/mediawiki.nix @@ -461,7 +461,10 @@ in systemd.services.httpd.after = optional (cfg.database.createLocally && cfg.database.type == "mysql") "mysql.service"; - users.users.${user}.group = group; + users.users.${user} = { + group = group; + isSystemUser = true; + }; environment.systemPackages = [ mediawikiScripts ]; }; diff --git a/nixos/modules/services/web-apps/moodle.nix b/nixos/modules/services/web-apps/moodle.nix index 211bc17ee19..ac59f9e0012 100644 --- a/nixos/modules/services/web-apps/moodle.nix +++ b/nixos/modules/services/web-apps/moodle.nix @@ -309,7 +309,9 @@ in systemd.services.httpd.after = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service"; - users.users.${user}.group = group; - + users.users.${user} = { + group = group; + isSystemUser = true; + }; }; } diff --git a/nixos/modules/services/web-apps/virtlyst.nix b/nixos/modules/services/web-apps/virtlyst.nix index e5c0bff2168..37bdbb0e3b4 100644 --- a/nixos/modules/services/web-apps/virtlyst.nix +++ b/nixos/modules/services/web-apps/virtlyst.nix @@ -54,6 +54,7 @@ in home = stateDir; createHome = true; group = mkIf config.virtualisation.libvirtd.enable "libvirtd"; + isSystemUser = true; }; systemd.services.virtlyst = { diff --git a/nixos/modules/services/web-apps/wordpress.nix b/nixos/modules/services/web-apps/wordpress.nix index e311dd917dd..f1370c2854b 100644 --- a/nixos/modules/services/web-apps/wordpress.nix +++ b/nixos/modules/services/web-apps/wordpress.nix @@ -367,7 +367,10 @@ in }) ]; - users.users.${user}.group = group; + users.users.${user} = { + group = group; + isSystemUser = true; + }; }; } diff --git a/nixos/modules/services/web-servers/hitch/default.nix b/nixos/modules/services/web-servers/hitch/default.nix index a6c4cbea122..1812f225b74 100644 --- a/nixos/modules/services/web-servers/hitch/default.nix +++ b/nixos/modules/services/web-servers/hitch/default.nix @@ -102,7 +102,10 @@ with lib; environment.systemPackages = [ pkgs.hitch ]; - users.users.hitch.group = "hitch"; + users.users.hitch = { + group = "hitch"; + isSystemUser = true; + }; users.groups.hitch = {}; }; } diff --git a/nixos/modules/services/web-servers/traefik.nix b/nixos/modules/services/web-servers/traefik.nix index 8de7df0d446..5b0fc467ea4 100644 --- a/nixos/modules/services/web-servers/traefik.nix +++ b/nixos/modules/services/web-servers/traefik.nix @@ -117,6 +117,7 @@ in { group = "traefik"; home = cfg.dataDir; createHome = true; + isSystemUser = true; }; users.groups.traefik = {}; diff --git a/nixos/modules/services/web-servers/unit/default.nix b/nixos/modules/services/web-servers/unit/default.nix index a4a9d370d64..32f6d475b34 100644 --- a/nixos/modules/services/web-servers/unit/default.nix +++ b/nixos/modules/services/web-servers/unit/default.nix @@ -116,6 +116,7 @@ in { users.users = optionalAttrs (cfg.user == "unit") (singleton { name = "unit"; group = cfg.group; + isSystemUser = true; }); users.groups = optionalAttrs (cfg.group == "unit") (singleton { |