From 94ec2169bd9de2b3497d9bd6dd15c40036254760 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 1 Feb 2026 20:58:05 +0000 Subject: [PATCH] Validate username once in flake Co-authored-by: ragusa-it <196988693+ragusa-it@users.noreply.github.com> --- flake.nix | 10 ++++++++-- modules/common.nix | 6 +++--- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/flake.nix b/flake.nix index 2c9aa7e..1100e17 100644 --- a/flake.nix +++ b/flake.nix @@ -40,9 +40,15 @@ hostname = "atlas"; username = "pinj"; lib = nixpkgs.lib; + usernameValid = + builtins.match "^[a-z_][a-z0-9_]*$" username != null + && builtins.match "^_+$" username == null + && builtins.match "^nix" username == null + && username != "root"; hostConfig = ./hosts + "/${hostname}/hardware-configuration.nix"; - passwordHashPath = "/etc/nixos/secrets/${username}/password.hash"; - specialArgs = { inherit inputs system hostname username passwordHashPath; }; + passwordHashPath = assert usernameValid; + "/etc/nixos/secrets/${username}/password.hash"; + specialArgs = { inherit inputs system hostname username usernameValid passwordHashPath; }; # Verify mango flake exports the expected module mangoModule = assert lib.hasAttrByPath [ "nixosModules" "mango" ] mango; diff --git a/modules/common.nix b/modules/common.nix index 96aaf14..ec4924e 100644 --- a/modules/common.nix +++ b/modules/common.nix @@ -1,10 +1,10 @@ -{ config, pkgs, inputs, system, hostname, username, passwordHashPath, ... }: +{ config, pkgs, inputs, system, hostname, username, usernameValid, passwordHashPath, ... }: { assertions = [ { - assertion = builtins.match "^[a-z_][a-z0-9_]*$" username != null; - message = "username must be a simple system user name without path separators."; + assertion = usernameValid; + message = "username must be a simple system user name and not reserved."; } ]; # --------------------------------------------------------------------------