| blob | 814ee77c01194c3d83885ab7f5b71f30e7009bfe |
1 # This module defines the global list of uids and gids. We keep a
2 # central list to prevent id collisions.
4 # IMPORTANT!
5 # We only add static uids and gids for services where it is not feasible
6 # to change uids/gids on service start, for example a service with a lot of
7 # files. Please also check if the service is applicable for systemd's
8 # DynamicUser option and does not need a uid/gid allocation at all.
9 # Systemd can also change ownership of service directories using the
10 # RuntimeDirectory/StateDirectory options.
12 { lib, ... }:
14 let
15 inherit (lib) types;
16 in
17 {
18 options = {
20 ids.uids = lib.mkOption {
21 internal = true;
22 description = ''
23 The user IDs used in NixOS.
24 '';
25 type = types.attrsOf types.int;
26 };
28 ids.gids = lib.mkOption {
29 internal = true;
30 description = ''
31 The group IDs used in NixOS.
32 '';
33 type = types.attrsOf types.int;
34 };
36 };
38 config = {
40 ids.uids = {
41 root = 0;
42 #wheel = 1; # unused
43 #kmem = 2; # unused
44 #tty = 3; # unused
45 messagebus = 4; # D-Bus
46 haldaemon = 5;
47 #disk = 6; # unused
48 #vsftpd = 7; # dynamically allocated ass of 2021-09-14
49 ftp = 8;
50 # bitlbee = 9; # removed 2021-10-05 #139765
51 #avahi = 10; # removed 2019-05-22
52 nagios = 11;
53 atd = 12;
54 postfix = 13;
55 #postdrop = 14; # unused
56 dovecot = 15;
57 tomcat = 16;
58 #audio = 17; # unused
59 #floppy = 18; # unused
60 uucp = 19;
61 #lp = 20; # unused
62 #proc = 21; # unused
63 pulseaudio = 22; # must match `pulseaudio' GID
64 gpsd = 23;
65 #cdrom = 24; # unused
66 #tape = 25; # unused
67 #video = 26; # unused
68 #dialout = 27; # unused
69 polkituser = 28;
70 #utmp = 29; # unused
71 # ddclient = 30; # converted to DynamicUser = true
72 davfs2 = 31;
73 disnix = 33;
74 osgi = 34;
75 tor = 35;
76 cups = 36;
77 foldingathome = 37;
78 sabnzbd = 38;
79 #kdm = 39; # dropped in 17.03
80 #ghostone = 40; # dropped in 18.03
81 git = 41;
82 #fourstore = 42; # dropped in 20.03
83 #fourstorehttp = 43; # dropped in 20.03
84 #virtuoso = 44; dropped module
85 #rtkit = 45; # dynamically allocated 2021-09-03
86 dovecot2 = 46;
87 dovenull2 = 47;
88 # prayer = 49; # dropped in 23.11
89 mpd = 50;
90 clamav = 51;
91 #fprot = 52; # unused
92 # bind = 53; #dynamically allocated as of 2021-09-03
93 wwwrun = 54;
94 #adm = 55; # unused
95 spamd = 56;
96 #networkmanager = 57; # unused
97 nslcd = 58;
98 scanner = 59;
99 nginx = 60;
100 chrony = 61;
101 #systemd-journal = 62; # unused
102 smtpd = 63;
103 smtpq = 64;
104 supybot = 65;
105 iodined = 66;
106 #libvirtd = 67; # unused
107 graphite = 68;
108 #statsd = 69; # removed 2018-11-14
109 transmission = 70;
110 postgres = 71;
111 #vboxusers = 72; # unused
112 #vboxsf = 73; # unused
113 smbguest = 74; # unused
114 varnish = 75;
115 datadog = 76;
116 lighttpd = 77;
117 lightdm = 78;
118 freenet = 79;
119 ircd = 80;
120 bacula = 81;
121 #almir = 82; # removed 2018-03-25, the almir package was removed in 30291227f2411abaca097773eedb49b8f259e297 during 2017-08
122 deluge = 83;
123 mysql = 84;
124 rabbitmq = 85;
125 activemq = 86;
126 gnunet = 87;
127 oidentd = 88;
128 quassel = 89;
129 amule = 90;
130 minidlna = 91;
131 elasticsearch = 92;
132 tcpcryptd = 93; # tcpcryptd uses a hard-coded uid. We patch it in Nixpkgs to match this choice.
133 firebird = 95;
134 #keys = 96; # unused
135 #haproxy = 97; # dynamically allocated as of 2020-03-11
136 #mongodb = 98; #dynamically allocated as of 2021-09-03
137 #openldap = 99; # dynamically allocated as of PR#94610
138 #users = 100; # unused
139 # cgminer = 101; #dynamically allocated as of 2021-09-17
140 munin = 102;
141 #logcheck = 103; #dynamically allocated as of 2021-09-17
142 #nix-ssh = 104; #dynamically allocated as of 2021-09-03
143 dictd = 105;
144 couchdb = 106;
145 #searx = 107; # dynamically allocated as of 2020-10-27
146 #kippo = 108; # removed 2021-10-07, the kippo package was removed in 1b213f321cdbfcf868b96fd9959c24207ce1b66a during 2021-04
147 jenkins = 109;
148 systemd-journal-gateway = 110;
149 #notbit = 111; # unused
150 aerospike = 111;
151 #ngircd = 112; #dynamically allocated as of 2021-09-03
152 #btsync = 113; # unused
153 #minecraft = 114; #dynamically allocated as of 2021-09-03
154 vault = 115;
155 # rippled = 116; #dynamically allocated as of 2021-09-18
156 murmur = 117;
157 foundationdb = 118;
158 newrelic = 119;
159 starbound = 120;
160 hydra = 122;
161 spiped = 123;
162 teamspeak = 124;
163 influxdb = 125;
164 nsd = 126;
165 gitolite = 127;
166 znc = 128;
167 polipo = 129;
168 mopidy = 130;
169 #docker = 131; # unused
170 gdm = 132;
171 #dhcpd = 133; # dynamically allocated as of 2021-09-03
172 siproxd = 134;
173 mlmmj = 135;
174 #neo4j = 136;# dynamically allocated as of 2021-09-03
175 riemann = 137;
176 riemanndash = 138;
177 #radvd = 139;# dynamically allocated as of 2021-09-03
178 #zookeeper = 140;# dynamically allocated as of 2021-09-03
179 #dnsmasq = 141;# dynamically allocated as of 2021-09-03
180 #uhub = 142; # unused
181 yandexdisk = 143;
182 # mxisd = 144; # removed 2024-07-10
183 #consul = 145;# dynamically allocated as of 2021-09-03
184 #mailpile = 146; # removed 2022-01-12
185 redmine = 147;
186 #seeks = 148; # removed 2020-06-21
187 prosody = 149;
188 i2pd = 150;
189 systemd-coredump = 151;
190 systemd-network = 152;
191 systemd-resolve = 153;
192 systemd-timesync = 154;
193 liquidsoap = 155;
194 #etcd = 156;# dynamically allocated as of 2021-09-03
195 hbase = 158;
196 opentsdb = 159;
197 scollector = 160;
198 bosun = 161;
199 kubernetes = 162;
200 peerflix = 163;
201 #chronos = 164; # removed 2020-08-15
202 gitlab = 165;
203 # tox-bootstrapd = 166; removed 2021-09-15
204 cadvisor = 167;
205 nylon = 168;
206 #apache-kafka = 169;# dynamically allocated as of 2021-09-03
207 #panamax = 170; # unused
208 exim = 172;
209 #fleet = 173; # unused
210 #input = 174; # unused
211 sddm = 175;
212 #tss = 176; # dynamically allocated as of 2021-09-17
213 #memcached = 177; removed 2018-01-03
214 #ntp = 179; # dynamically allocated as of 2021-09-17
215 zabbix = 180;
216 #redis = 181; removed 2018-01-03
217 #unifi = 183; dynamically allocated as of 2021-09-17
218 uptimed = 184;
219 #zope2 = 185; # dynamically allocated as of 2021-09-18
220 #ripple-data-api = 186; dynamically allocated as of 2021-09-17
221 mediatomb = 187;
222 #rdnssd = 188; #dynamically allocated as of 2021-09-18
223 ihaskell = 189;
224 i2p = 190;
225 lambdabot = 191;
226 asterisk = 192;
227 plex = 193;
228 plexpy = 195;
229 grafana = 196;
230 skydns = 197;
231 # ripple-rest = 198; # unused, removed 2017-08-12
232 # nix-serve = 199; # unused, removed 2020-12-12
233 #tvheadend = 200; # dynamically allocated as of 2021-09-18
234 uwsgi = 201;
235 # gitit = 202; # unused, module was removed 2023-04-03
236 riemanntools = 203;
237 subsonic = 204;
238 # riak = 205; # unused, remove 2022-07-22
239 #shout = 206; # dynamically allocated as of 2021-09-18, module removed 2024-10-19
240 gateone = 207;
241 namecoin = 208;
242 #lxd = 210; # unused
243 #kibana = 211;# dynamically allocated as of 2021-09-03
244 xtreemfs = 212;
245 calibre-server = 213;
246 #heapster = 214; #dynamically allocated as of 2021-09-17
247 bepasty = 215;
248 # pumpio = 216; # unused, removed 2018-02-24
249 nm-openvpn = 217;
250 # mathics = 218; # unused, removed 2020-08-15
251 ejabberd = 219;
252 postsrsd = 220;
253 opendkim = 221;
254 dspam = 222;
255 # gale = 223; removed 2021-06-10
256 matrix-synapse = 224;
257 rspamd = 225;
258 # rmilter = 226; # unused, removed 2019-08-22
259 cfdyndns = 227;
260 # gammu-smsd = 228; #dynamically allocated as of 2021-09-17
261 pdnsd = 229;
262 octoprint = 230;
263 avahi-autoipd = 231;
264 # nntp-proxy = 232; #dynamically allocated as of 2021-09-17
265 mjpg-streamer = 233;
266 #radicale = 234;# dynamically allocated as of 2021-09-03
267 hydra-queue-runner = 235;
268 hydra-www = 236;
269 syncthing = 237;
270 caddy = 239;
271 taskd = 240;
272 # factorio = 241; # DynamicUser = true
273 # emby = 242; # unusued, removed 2019-05-01
274 #graylog = 243;# dynamically allocated as of 2021-09-03
275 sniproxy = 244;
276 nzbget = 245;
277 mosquitto = 246;
278 #toxvpn = 247; # dynamically allocated as of 2021-09-18
279 # squeezelite = 248; # DynamicUser = true
280 turnserver = 249;
281 #smokeping = 250;# dynamically allocated as of 2021-09-03
282 gocd-agent = 251;
283 gocd-server = 252;
284 terraria = 253;
285 mattermost = 254;
286 prometheus = 255;
287 telegraf = 256;
288 gitlab-runner = 257;
289 postgrey = 258;
290 # hound = 259; # unused, removed 2023-11-21
291 leaps = 260;
292 ipfs = 261;
293 # stanchion = 262; # unused, removed 2020-10-14
294 # riak-cs = 263; # unused, removed 2020-10-14
295 infinoted = 264;
296 sickbeard = 265;
297 headphones = 266;
298 # couchpotato = 267; # unused, removed 2022-01-01
299 # gogs = 268; # unused, removed in 2024-10-12
300 #pdns-recursor = 269; # dynamically allocated as of 2020-20-18
301 #kresd = 270; # switched to "knot-resolver" with dynamic ID
302 rpc = 271;
303 #geoip = 272; # new module uses DynamicUser
304 fcron = 273;
305 sonarr = 274;
306 radarr = 275;
307 jackett = 276;
308 aria2 = 277;
309 clickhouse = 278;
310 rslsync = 279;
311 minio = 280;
312 kanboard = 281;
313 # pykms = 282; # DynamicUser = true
314 kodi = 283;
315 # restya-board = 284; # removed 2024-01-22
316 mighttpd2 = 285;
317 hass = 286;
318 #monero = 287; # dynamically allocated as of 2021-05-08
319 ceph = 288;
320 duplicati = 289;
321 monetdb = 290;
322 restic = 291;
323 openvpn = 292;
324 # meguca = 293; # removed 2020-08-21
325 yarn = 294;
326 hdfs = 295;
327 mapred = 296;
328 hadoop = 297;
329 #hydron = 298; # removed 2024-08-03
330 cfssl = 299;
331 cassandra = 300;
332 qemu-libvirtd = 301;
333 # kvm = 302; # unused
334 # render = 303; # unused
335 # zeronet = 304; # removed 2019-01-03
336 lirc = 305;
337 lidarr = 306;
338 slurm = 307;
339 kapacitor = 308;
340 # solr = 309; removed 2023-03-16
341 alerta = 310;
342 minetest = 311;
343 rss2email = 312;
344 cockroachdb = 313;
345 zoneminder = 314;
346 paperless = 315;
347 #mailman = 316; # removed 2019-08-30
348 zigbee2mqtt = 317;
349 # shadow = 318; # unused
350 hqplayer = 319;
351 moonraker = 320;
352 distcc = 321;
353 webdav = 322;
354 pipewire = 323;
355 rstudio-server = 324;
356 localtimed = 325;
357 automatic-timezoned = 326;
359 # When adding a uid, make sure it doesn't match an existing gid.
360 #
361 # !!! Don't use uids above "399"! !!!
362 #
363 # The reason behind this restriction is that, NixOS by default allocates
364 # system user UIDs/GIDs in the range of `400..999`. System users/groups
365 # created using command like `useradd` will have UID and GID in this range[1].
366 #
367 # If a newly added ID goes beyond "399", it may conflict with existing
368 # system user or group of the same id in someone else's NixOS.
369 # This could break their system and make that person upset for a whole day.
370 #
371 # Sidenote: the default is defined in `shadow` module[2], and the relavent change
372 # was made way back in 2014[3].
373 #
374 # [1]: https://man7.org/linux/man-pages/man5/login.defs.5.html#:~:text=SYS_UID_MAX%20(number)%2C%20SYS_UID_MIN%20(number)
375 # [2]: <nixos/modules/programs/shadow.nix>
376 # [3]: https://github.com/NixOS/nixpkgs/commit/0e23a175de3687df8232fe118cbe87f04228ff28
378 nixbld = 30000; # start of range of uids
379 nobody = 65534;
380 };
382 ids.gids = {
383 root = 0;
384 wheel = 1;
385 kmem = 2;
386 tty = 3;
387 messagebus = 4; # D-Bus
388 haldaemon = 5;
389 disk = 6;
390 #vsftpd = 7; # dynamically allocated as of 2021-09-14
391 ftp = 8;
392 # bitlbee = 9; # removed 2021-10-05 #139765
393 #avahi = 10; # removed 2019-05-22
394 #nagios = 11; # unused
395 atd = 12;
396 postfix = 13;
397 postdrop = 14;
398 dovecot = 15;
399 tomcat = 16;
400 audio = 17;
401 floppy = 18;
402 uucp = 19;
403 lp = 20;
404 proc = 21;
405 pulseaudio = 22; # must match `pulseaudio' UID
406 gpsd = 23;
407 cdrom = 24;
408 tape = 25;
409 video = 26;
410 dialout = 27;
411 #polkituser = 28; # currently unused, polkitd doesn't need a group
412 utmp = 29;
413 # ddclient = 30; # converted to DynamicUser = true
414 davfs2 = 31;
415 disnix = 33;
416 osgi = 34;
417 tor = 35;
418 #cups = 36; # unused
419 #foldingathome = 37; # unused
420 #sabnzd = 38; # unused
421 #kdm = 39; # unused, even before 17.03
422 #ghostone = 40; # dropped in 18.03
423 git = 41;
424 fourstore = 42;
425 fourstorehttp = 43;
426 virtuoso = 44;
427 #rtkit = 45; # unused
428 dovecot2 = 46;
429 dovenull2 = 47;
430 # prayer = 49; # dropped in 23.11
431 mpd = 50;
432 clamav = 51;
433 #fprot = 52; # unused
434 #bind = 53; # unused
435 wwwrun = 54;
436 adm = 55;
437 spamd = 56;
438 networkmanager = 57;
439 nslcd = 58;
440 scanner = 59;
441 nginx = 60;
442 chrony = 61;
443 systemd-journal = 62;
444 smtpd = 63;
445 smtpq = 64;
446 supybot = 65;
447 iodined = 66;
448 libvirtd = 67;
449 graphite = 68;
450 #statsd = 69; # removed 2018-11-14
451 transmission = 70;
452 postgres = 71;
453 vboxusers = 72;
454 vboxsf = 73;
455 smbguest = 74; # unused
456 varnish = 75;
457 datadog = 76;
458 lighttpd = 77;
459 lightdm = 78;
460 freenet = 79;
461 ircd = 80;
462 bacula = 81;
463 #almir = 82; # removed 2018-03-25, the almir package was removed in 30291227f2411abaca097773eedb49b8f259e297 during 2017-08
464 deluge = 83;
465 mysql = 84;
466 rabbitmq = 85;
467 activemq = 86;
468 gnunet = 87;
469 oidentd = 88;
470 quassel = 89;
471 amule = 90;
472 minidlna = 91;
473 elasticsearch = 92;
474 #tcpcryptd = 93; # unused
475 firebird = 95;
476 keys = 96;
477 #haproxy = 97; # dynamically allocated as of 2020-03-11
478 #mongodb = 98; # unused
479 #openldap = 99; # dynamically allocated as of PR#94610
480 munin = 102;
481 #logcheck = 103; # unused
482 #nix-ssh = 104; # unused
483 dictd = 105;
484 couchdb = 106;
485 #searx = 107; # dynamically allocated as of 2020-10-27
486 #kippo = 108; # removed 2021-10-07, the kippo package was removed in 1b213f321cdbfcf868b96fd9959c24207ce1b66a during 2021-04
487 jenkins = 109;
488 systemd-journal-gateway = 110;
489 #notbit = 111; # unused
490 aerospike = 111;
491 #ngircd = 112; # unused
492 #btsync = 113; # unused
493 #minecraft = 114; # unused
494 vault = 115;
495 #ripped = 116; # unused
496 murmur = 117;
497 foundationdb = 118;
498 newrelic = 119;
499 starbound = 120;
500 hydra = 122;
501 spiped = 123;
502 teamspeak = 124;
503 influxdb = 125;
504 nsd = 126;
505 gitolite = 127;
506 znc = 128;
507 polipo = 129;
508 mopidy = 130;
509 docker = 131;
510 gdm = 132;
511 #dhcpcd = 133; # unused
512 siproxd = 134;
513 mlmmj = 135;
514 #neo4j = 136; # unused
515 riemann = 137;
516 riemanndash = 138;
517 #radvd = 139; # unused
518 #zookeeper = 140; # unused
519 #dnsmasq = 141; # unused
520 uhub = 142;
521 #yandexdisk = 143; # unused
522 # mxisd = 144; # removed 2024-07-10
523 #consul = 145; # unused
524 #mailpile = 146; # removed 2022-01-12
525 redmine = 147;
526 #seeks = 148; # removed 2020-06-21
527 prosody = 149;
528 i2pd = 150;
529 systemd-network = 152;
530 systemd-resolve = 153;
531 systemd-timesync = 154;
532 liquidsoap = 155;
533 #etcd = 156; # unused
534 hbase = 158;
535 opentsdb = 159;
536 scollector = 160;
537 bosun = 161;
538 kubernetes = 162;
539 #peerflix = 163; # unused
540 #chronos = 164; # unused
541 gitlab = 165;
542 nylon = 168;
543 #panamax = 170; # unused
544 exim = 172;
545 #fleet = 173; # unused
546 input = 174;
547 sddm = 175;
548 #tss = 176; #dynamically allocateda as of 2021-09-20
549 #memcached = 177; # unused, removed 2018-01-03
550 #ntp = 179; # unused
551 zabbix = 180;
552 #redis = 181; # unused, removed 2018-01-03
553 #unifi = 183; # unused
554 #uptimed = 184; # unused
555 #zope2 = 185; # unused
556 #ripple-data-api = 186; #unused
557 mediatomb = 187;
558 #rdnssd = 188; # unused
559 ihaskell = 189;
560 i2p = 190;
561 lambdabot = 191;
562 asterisk = 192;
563 plex = 193;
564 sabnzbd = 194;
565 #grafana = 196; #unused
566 #skydns = 197; #unused
567 # ripple-rest = 198; # unused, removed 2017-08-12
568 #nix-serve = 199; #unused
569 #tvheadend = 200; #unused
570 uwsgi = 201;
571 gitit = 202;
572 riemanntools = 203;
573 subsonic = 204;
574 # riak = 205;#unused, removed 2022-06-22
575 #shout = 206; #unused
576 gateone = 207;
577 namecoin = 208;
578 #lxd = 210; # unused
579 #kibana = 211;
580 xtreemfs = 212;
581 calibre-server = 213;
582 bepasty = 215;
583 # pumpio = 216; # unused, removed 2018-02-24
584 nm-openvpn = 217;
585 mathics = 218;
586 ejabberd = 219;
587 postsrsd = 220;
588 opendkim = 221;
589 dspam = 222;
590 # gale = 223; removed 2021-06-10
591 matrix-synapse = 224;
592 rspamd = 225;
593 # rmilter = 226; # unused, removed 2019-08-22
594 cfdyndns = 227;
595 pdnsd = 229;
596 octoprint = 230;
597 #radicale = 234;# dynamically allocated as of 2021-09-03
598 syncthing = 237;
599 caddy = 239;
600 taskd = 240;
601 # factorio = 241; # unused
602 # emby = 242; # unused, removed 2019-05-01
603 sniproxy = 244;
604 nzbget = 245;
605 mosquitto = 246;
606 #toxvpn = 247; # unused
607 #squeezelite = 248; #unused
608 turnserver = 249;
609 #smokeping = 250;# dynamically allocated as of 2021-09-03
610 gocd-agent = 251;
611 gocd-server = 252;
612 terraria = 253;
613 mattermost = 254;
614 prometheus = 255;
615 #telegraf = 256; # unused
616 gitlab-runner = 257;
617 postgrey = 258;
618 # hound = 259; # unused, removed 2023-11-21
619 leaps = 260;
620 ipfs = 261;
621 # stanchion = 262; # unused, removed 2020-10-14
622 # riak-cs = 263; # unused, removed 2020-10-14
623 infinoted = 264;
624 sickbeard = 265;
625 headphones = 266;
626 # couchpotato = 267; # unused, removed 2022-01-01
627 # gogs = 268; # unused, removed in 2024-10-12
628 #kresd = 270; # switched to "knot-resolver" with dynamic ID
629 #rpc = 271; # unused
630 #geoip = 272; # unused
631 fcron = 273;
632 sonarr = 274;
633 radarr = 275;
634 jackett = 276;
635 aria2 = 277;
636 clickhouse = 278;
637 rslsync = 279;
638 minio = 280;
639 kanboard = 281;
640 # pykms = 282; # DynamicUser = true
641 kodi = 283;
642 # restya-board = 284; # removed 2024-01-22
643 mighttpd2 = 285;
644 hass = 286;
645 # monero = 287; # dynamically allocated as of 2021-05-08
646 ceph = 288;
647 duplicati = 289;
648 monetdb = 290;
649 restic = 291;
650 openvpn = 292;
651 # meguca = 293; # removed 2020-08-21
652 yarn = 294;
653 hdfs = 295;
654 mapred = 296;
655 hadoop = 297;
656 #hydron = 298; # removed 2024-08-03
657 cfssl = 299;
658 cassandra = 300;
659 qemu-libvirtd = 301;
660 kvm = 302; # default udev rules from systemd requires these
661 render = 303; # default udev rules from systemd requires these
662 sgx = 304; # default udev rules from systemd requires these
663 lirc = 305;
664 lidarr = 306;
665 slurm = 307;
666 kapacitor = 308;
667 # solr = 309; removed 2023-03-16
668 alerta = 310;
669 minetest = 311;
670 rss2email = 312;
671 cockroachdb = 313;
672 zoneminder = 314;
673 paperless = 315;
674 #mailman = 316; # removed 2019-08-30
675 zigbee2mqtt = 317;
676 shadow = 318;
677 hqplayer = 319;
678 moonraker = 320;
679 distcc = 321;
680 webdav = 322;
681 pipewire = 323;
682 rstudio-server = 324;
683 localtimed = 325;
684 automatic-timezoned = 326;
685 uinput = 327;
687 # When adding a gid, make sure it doesn't match an existing
688 # uid. Users and groups with the same name should have equal
689 # uids and gids.
690 #
691 # !!! Don't use gids above "399"! !!!
692 #
693 # The reason behind this restriction is that, NixOS by default allocates
694 # system user UIDs/GIDs in the range of `400..999`. System users/groups
695 # created using command like `useradd` will have UID and GID in this range[1].
696 #
697 # If a newly added ID goes beyond "399", it may conflict with existing
698 # system user or group of the same id in someone else's NixOS.
699 # This could break their system and make that person upset for a whole day.
700 #
701 # Sidenote: the default is defined in `shadow` module[2], and the relavent change
702 # was made way back in 2014[3].
703 #
704 # [1]: https://man7.org/linux/man-pages/man5/login.defs.5.html#:~:text=SYS_UID_MAX%20(number)%2C%20SYS_UID_MIN%20(number)
705 # [2]: <nixos/modules/programs/shadow.nix>
706 # [3]: https://github.com/NixOS/nixpkgs/commit/0e23a175de3687df8232fe118cbe87f04228ff28
708 # For exceptional cases where you really need a gid above 399, leave a
709 # comment stating why.
710 #
711 # Also, avoid the following GID ranges:
712 #
713 # 1000 - 29999: user accounts (see ../config/update-users-groups.pl)
714 # 30000 - 31000: nixbld users (the upper limit is arbitrarily chosen)
715 # 61184 - 65519: systemd DynamicUser (see systemd.exec(5))
716 # 65535: the error return sentinel value when uid_t was 16 bits
717 #
718 # 100000 - 6653600: subgid allocated for user namespaces
719 # (see ../config/update-users-groups.pl)
720 # 4294967294: unauthenticated user in some NFS implementations
721 # 4294967295: error return sentinel value
722 #
723 # References:
724 # https://www.debian.org/doc/debian-policy/ch-opersys.html#uid-and-gid-classes
726 onepassword = 31001; # 1Password requires that its GID be larger than 1000
727 onepassword-cli = 31002; # 1Password requires that its GID be larger than 1000
729 users = 100;
730 nixbld = 30000;
731 nogroup = 65534;
732 };
734 };
736 }