nixos/users-groups: move home dir creation to systemd services

Fixes NixOS#6481 When the home directory is on a separate mount the user home directories were not created. Using systemd units with `RequiresMountsFor` solves the race condition.
awakesecurity · Mar 30, 2023 · b09ce20 · b09ce20
1 parent 1218af3
commit b09ce20
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 7 deletions.
diff --git a/nixos/modules/config/update-users-groups.pl b/nixos/modules/config/update-users-groups.pl
@@ -209,13 +209,6 @@ sub parseUser {
         }
     }
 
-    # Ensure home directory incl. ownership and permissions.
-    if ($u->{createHome}) {
-        make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home};
-        chown $u->{uid}, $u->{gid}, $u->{home};
-        chmod 0700, $u->{home};
-    }
-
     if (defined $u->{passwordFile}) {
         if (-e $u->{passwordFile}) {
             $u->{hashedPassword} = read_file($u->{passwordFile});

diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix
@@ -673,6 +673,23 @@ in {
         else null
       ));
 
+    systemd.services = lib.flip lib.mapAttrs' config.users.users (_: user: {
+      name = "awake-oneshot-home-${user.name}";
+      value = lib.mkIf user.createHome {
+        description = "Create ${user.name} $HOME directory";
+
+        script = ''
+          mkdir -p ${lib.escapeShellArg user.home}
+          chown ${lib.escapeShellArg "${user.name}:${user.group}"} ${lib.escapeShellArg user.home}
+        '';
+
+        wantedBy = [ "multi-user.target" ];
+
+        serviceConfig.Type = "oneshot";
+
+        unitConfig.RequiresMountsFor = [ (lib.escapeShellArg user.home) ];
+      };
+    });
   };
 
 }