nixos/users-groups: split isSystemUser/isNormalUser and uid check into two

SuperSandro2000 · SuperSandro2000 · commit db0a0b11739c · 2024-11-22T15:46:00.000+01:00
Before the error message only mentioned isSystemUser/isNormalUser which
lead to a confusing situation when setting isNormalUser and an uid like
500 which would generate an error like:

error:
Failed assertions:
- Exactly one of users.users.other.isSystemUser and users.users.other.isNormalUser must be set.

from which you cannot know that setting the uid to 500 *and* setting
isNormalUser is the actual problem.

With this patch the error looks like:

error:
Failed assertions:
- A user cannot have a users.users.fixme.uid set below 1000 and set users.users.fixme.isNormalUser.
Either users.users.fixme.isSystemUser must be set to true instead of users.users.fixme.isNormalUser
or users.users.fixme.uid must be changed to 1000 or above.
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix
@@ -906,9 +906,18 @@ in {
             of /etc/shadow (file where hashes are stored) are colon-separated.
             Please check the value of option `users.users."${user.name}".hashedPassword`.'';
           }
+          {
+            assertion = user.isNormalUser && user.uid != null -> user.uid >= 1000;
+            message = ''
+              A user cannot have a users.users.${user.name}.uid set below 1000 and set users.users.${user.name}.isNormalUser.
+              Either users.users.${user.name}.isSystemUser must be set to true instead of users.users.${user.name}.isNormalUser
+              or users.users.${user.name}.uid must be changed to 1000 or above.
+            '';
+          }
           {
             assertion = let
-              isEffectivelySystemUser = user.isSystemUser || (user.uid != null && user.uid < 1000);
+              # we do an extra check on isNormalUser here, to not trigger this assertion when isNormalUser is set and uid to < 1000
+              isEffectivelySystemUser = user.isSystemUser || (user.uid != null && user.uid < 1000 && !user.isNormalUser);
             in xor isEffectivelySystemUser user.isNormalUser;
             message = ''
               Exactly one of users.users.${user.name}.isSystemUser and users.users.${user.name}.isNormalUser must be set.
