From 574a90771f3c0eeeeab798c38fea5f7bf6b44066 Mon Sep 17 00:00:00 2001
From: Klemens Nanni <klemens@posteo.de>
Date: Sat, 25 Jun 2022 15:59:43 +0400
Subject: [PATCH 1/2] lib.types, nixos/users: Make passwdEntry available

More nixpkgs code such as `boot.initrd.systemd.emergencyAccess` defines
options that takes hashed passwords, so move the type definition from
modules/ into lib/.

The type definition itself stays unchanged.
---
 lib/types.nix                         |  6 ++++++
 nixos/modules/config/users-groups.nix | 16 +++++-----------
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/lib/types.nix b/lib/types.nix
index 354714b28733..d7655bc1a6a2 100644
--- a/lib/types.nix
+++ b/lib/types.nix
@@ -55,6 +55,7 @@ let
     concatMapStringsSep
     concatStringsSep
     escapeNixString
+    hasInfix
     isCoercibleToString
     ;
   inherit (lib.trivial)
@@ -360,6 +361,11 @@ rec {
       deprecationMessage = "See https://github.com/NixOS/nixpkgs/pull/66346 for better alternative types.";
     };
 
+    passwdEntry = entryType: addCheck entryType (str: !(hasInfix ":" str || hasInfix "\n" str)) // {
+      name = "passwdEntry ${entryType.name}";
+      description = "${entryType.description}, not containing newlines or colons";
+    };
+
     attrs = mkOptionType {
       name = "attrs";
       description = "attribute set";
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix
index d3bdf218c339..85dfb9365619 100644
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@@ -6,12 +6,6 @@ let
   ids = config.ids;
   cfg = config.users;
 
-  isPasswdCompatible = str: !(hasInfix ":" str || hasInfix "\n" str);
-  passwdEntry = type: lib.types.addCheck type isPasswdCompatible // {
-    name = "passwdEntry ${type.name}";
-    description = "${type.description}, not containing newlines or colons";
-  };
-
   # Check whether a password hash will allow login.
   allowsLogin = hash:
     hash == "" # login without password
@@ -60,7 +54,7 @@ let
     options = {
 
       name = mkOption {
-        type = passwdEntry types.str;
+        type = types.passwdEntry types.str;
         apply = x: assert (builtins.stringLength x < 32 || abort "Username '${x}' is longer than 31 characters which is not allowed!"); x;
         description = ''
           The name of the user account. If undefined, the name of the
@@ -69,7 +63,7 @@ let
       };
 
       description = mkOption {
-        type = passwdEntry types.str;
+        type = types.passwdEntry types.str;
         default = "";
         example = "Alice Q. User";
         description = ''
@@ -134,7 +128,7 @@ let
       };
 
       home = mkOption {
-        type = passwdEntry types.path;
+        type = types.passwdEntry types.path;
         default = "/var/empty";
         description = "The user's home directory.";
       };
@@ -169,7 +163,7 @@ let
       };
 
       shell = mkOption {
-        type = types.nullOr (types.either types.shellPackage (passwdEntry types.path));
+        type = types.nullOr (types.either types.shellPackage (types.passwdEntry types.path));
         default = pkgs.shadow;
         defaultText = literalExpression "pkgs.shadow";
         example = literalExpression "pkgs.bashInteractive";
@@ -349,7 +343,7 @@ let
     options = {
 
       name = mkOption {
-        type = passwdEntry types.str;
+        type = types.passwdEntry types.str;
         description = ''
           The name of the group. If undefined, the name of the attribute set
           will be used.

From 30c36b47062f5cab53da07d9ed4ff1bd2b98ce36 Mon Sep 17 00:00:00 2001
From: Klemens Nanni <klemens@posteo.de>
Date: Sat, 25 Jun 2022 16:05:53 +0400
Subject: [PATCH 2/2] nixos/systemd-stage-1: use types.passwdEntry in
 emergencyAccess

`boot.initrd.systemd.emergencyAccess` expects passwd(5) formatted
strings, hence `singleLineStr` is too broad.

Use the same type as `users.users.*.hashedPassword` to ensure
consistency across all options where password hashes are used.

From `modules/config/users-groups.nix`:
```
       hashedPassword = mkOption {
         type = with types; nullOr (passwdEntry str);
       ...
       };
```
---
 nixos/modules/system/boot/systemd/initrd.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix
index cdec7f532917..5f93a8ac3c73 100644
--- a/nixos/modules/system/boot/systemd/initrd.nix
+++ b/nixos/modules/system/boot/systemd/initrd.nix
@@ -192,7 +192,7 @@ in {
     };
 
     emergencyAccess = mkOption {
-      type = with types; oneOf [ bool singleLineStr ];
+      type = with types; oneOf [ bool (nullOr (passwdEntry str)) ];
       visible = false;
       description = ''
         Set to true for unauthenticated emergency access, and false for