Bug: Using home-manager as a NixOS module with external authentication services (Kanidm, Ldap, Active Directory) fails

[TheRealGramdalf]

Are you following the right branch?

• [X] My Nixpkgs and Home Manager versions are in sync

Is there an existing issue for this?

• [X] I have searched the existing issues

Issue description

I use Kanidm to manage POSIX accounts on my small fleet of NixOS machines. I recently attempted to start using home-manager as a NixOS module, yet quickly ran into issues - the home-manager module expects to handle POSIX accounts itself (via users.users."therealgramdalf"), and thus throws an error:

       error:
       Failed assertions:
       - Exactly one of users.users.therealgramdalf.isSystemUser and users.users.therealgramdalf.isNormalUser must be set.

       - users.users.therealgramdalf.group is unset. This used to default to
       nogroup, but this is unsafe. For example you can create a group
       for this user with:
       users.users.therealgramdalf.group = "therealgramdalf";
       users.groups.therealgramdalf = {}

This is an issue, since the posix accounts don't actually exist locally on the machine - they are loaded dynamically by kanidm-unixd. I go more into detail here: https://github.com/kanidm/kanidm/issues/2698

A method to disable this requirement (such that the NixOS module doesn't actually create the users) should solve most of the problems; the UUID problems specified in the issue I linked should be solvable at the configuration level (without altering home-manager itself).

Maintainer CC

@rycee

System information

N/A

[TheRealGramdalf]

I should mention that I have home-manager.useUserPackages set to true, which may be affecting things due to the usage of users.users."therealgramdalf".packages

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/dealing-with-non-local-users-and-system-groups-home-manager/29145/3