nixos/users-groups: split isSystemUser/isNormalUser and uid check into two (#357944)

Author: SuperSandro2000

nixos/modules/config/users-groups.nix

@@ -940,9 +940,18 @@ in {
             of /etc/shadow (file where hashes are stored) are colon-separated.
             Please check the value of option `users.users."${user.name}".hashedPassword`.'';
           }
+          {
+            assertion = user.isNormalUser && user.uid != null -> user.uid >= 1000;
+            message = ''
+              A user cannot have a users.users.${user.name}.uid set below 1000 and set users.users.${user.name}.isNormalUser.
+              Either users.users.${user.name}.isSystemUser must be set to true instead of users.users.${user.name}.isNormalUser
+              or users.users.${user.name}.uid must be changed to 1000 or above.
+            '';
+          }
           {
             assertion = let
-              isEffectivelySystemUser = user.isSystemUser || (user.uid != null && user.uid < 1000);
+              # we do an extra check on isNormalUser here, to not trigger this assertion when isNormalUser is set and uid to < 1000
+              isEffectivelySystemUser = user.isSystemUser || (user.uid != null && user.uid < 1000 && !user.isNormalUser);
             in xor isEffectivelySystemUser user.isNormalUser;
             message = ''
               Exactly one of users.users.${user.name}.isSystemUser and users.users.${user.name}.isNormalUser must be set.