Merged
Conversation
In non-nixos settings, it is frequent that some users/groups are created by default by the distribution, or impurely by the user. Because Userborn is stateless, those users/groups are disabled when they are not included in the Userborn configuration. With this change, this can now be accomodated. Users can be created impurely/imperatively and are not disabled by Userborn if they were not previously managed by Userborn. Userborn now looks at the previous config to determine whether to disable users or drain groups. In the mutable users mode users/groups are only disabled/drained if they were already contained in the previous config. This commit was inspired by Julien's work which made me consider this issue in the first place and his implementation helped me to think of a way that this can be implemented more elegantly in my opinion. Co-authored-by: Julien Malka <julien@malka.sh>
nikstur
force-pushed
the
mutable-users
branch
from
97f9a29 to
a86e5f1
Compare
nikstur
force-pushed
the
mutable-users
branch
from
a86e5f1 to
023e027
Compare
jfroche
added a commit
to numtide/system-manager
that referenced
this pull request
Jan 27, 2026
mutable users handling has been merged into userborn with nikstur/userborn#38 This commit update system-manager to use the new userborn features and properly sequence userborn execution during activation and deactivation. System manager ensure users exist before tmpfiles runs and managed accounts are locked on deactivation. Activation changes: - Restart userborn.service after daemon-reload but before tmpfiles - Use restart (not start) because userborn is a oneshot service with RemainAfterExit=true - start on an already-active service is a no-op Deactivation changes: - Move user locking logic from Nix shell script to Rust engine - Add users.rs module with lock_managed_users() that calls userborn with empty config to lock previously managed accounts - Set USERBORN_MUTABLE_USERS=true so only managed users are locked, not stateful users created outside userborn - Create top-level deactivate.rs module for cleaner API naming
jfroche
added a commit
to numtide/system-manager
that referenced
this pull request
Feb 3, 2026
mutable users handling has been merged into userborn with nikstur/userborn#38 This commit update system-manager to use the new userborn features and properly sequence userborn execution during activation and deactivation. System manager ensure users exist before tmpfiles runs and managed accounts are locked on deactivation. Activation changes: - Restart userborn.service after daemon-reload but before tmpfiles - Use restart (not start) because userborn is a oneshot service with RemainAfterExit=true - start on an already-active service is a no-op Deactivation changes: - Move user locking logic from Nix shell script to Rust engine - Add users.rs module with lock_managed_users() that calls userborn with empty config to lock previously managed accounts - Set USERBORN_MUTABLE_USERS=true so only managed users are locked, not stateful users created outside userborn - Create top-level deactivate.rs module for cleaner API naming
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Supersedes #36