nixos/users-groups: don't consider a system with Google OS Login inaccessible

This allows disabling users.mutableUsers without configuring any
authentication mechanisms (passwords, authorized SSH keys) other than
Google OS Login.

1 files changed, 4 insertions, 2 deletions

diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix
index ee64f785f5b..56b7af98b61 100644
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@@ -581,7 +581,7 @@ in {
         # password or an SSH authorized key. Privileged accounts are
         # root and users in the wheel group.
         assertion = !cfg.mutableUsers ->
-          any id (mapAttrsToList (name: cfg:
+          any id ((mapAttrsToList (name: cfg:
             (name == "root"
              || cfg.group == "wheel"
              || elem "wheel" cfg.extraGroups)
@@ -591,7 +591,9 @@ in {
              || cfg.passwordFile != null
              || cfg.openssh.authorizedKeys.keys != []
              || cfg.openssh.authorizedKeys.keyFiles != [])
-          ) cfg.users);
+          ) cfg.users) ++ [
+            config.security.googleOsLogin.enable
+          ]);
         message = ''
           Neither the root account nor any wheel user has a password or SSH authorized key.
           You must set one to prevent being locked out of your system.'';