UID declaration is ignored after upgrading Plasma 5 to 6

My NixOS config has the following passage, which used to work:

  users.users.jeff = {
    uid = 1000;        # for compatibility with Ubuntu
    isNormalUser = true;
    extraGroups = [
      ... # I'm skipping some stuff here
    ];
  };

I just upgraded from Plasma 5 to 6 (also declaratively via NixOS), and now my UID appears to have reverted to 1001:

jeff 2025-03-25 18:37:23 ~$ id
uid=1001(jeff) gid=100(users) groups=100(users),1(wheel),17(audio),27(dialout),57(networkmanager),131(docker)
jeff 2025-03-25 18:37:26 ~$

My config does not mention users.mutableUsers. I tried setting that to false, NixOS refused to compile with a scary message, and I backed off:

                     
jeff 2025-03-25 18:42:25 ~/nix/jbb$ sudo nixos-rebuild switch                      
building Nix...                                                                    
building the system configuration...                                               
error:                                                                             
       … while calling the 'head' builtin                                          
         at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/attrsets.nix:1:35741:                                                     
       … while evaluating the attribute 'value'                                         
         at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:1:33591:                                                      
       … while evaluating the option `system.build.toplevel':                      
                                                                                        
       … while evaluating definitions from `/nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/top-level.nix'
:                                                                                             
                                                                                                                                             
       (stack trace truncated; use '--show-trace' to show the full, detailed trace)                 
                                                                                                    
       error:                                                                                                                                
       Failed assertions:                                                                           
       - Neither the root account nor any wheel user has a password or SSH authorized key.                                                   
       You must set one to prevent being locked out of your system.                                         
       If you really want to be locked out of your system, set users.allowNoPasswordLogin = true;                    
       However you are most probably better off by setting users.mutableUsers = true; and                                       
       manually running passwd root to set the root password.         

Any ideas?

That is strange. Can you share your config, and also the contents of /var/lib/nixos/uid-map?

Of course! My full config is here (permalink to the offending commit):

And cat /var/lib/nixos/uid-map yields:

{"colord":994,"cups":36,"dhcpcd":993,"jbb":1000,"jeff":1001,"lightdm":78,"messagebus":4,"nixbld1":30001,"nixbld10":30010,"nixbld11":30011,"nixbld12":30012,"nixbld13":30013,"nixbld14":30014,"nixbld15":30015,"nixbld16":30016,"nixbld17":30017,"nixbld18":30018,"nixbld19":30019,"nixbld2":30002,"nixbld20":30020,"nixbld21":30021,"nixbld22":30022,"nixbld23":30023,"nixbld24":30024,"nixbld25":30025,"nixbld26":30026,"nixbld27":30027,"nixbld28":30028,"nixbld29":30029,"nixbld3":30003,"nixbld30":30030,"nixbld31":30031,"nixbld32":30032,"nixbld4":30004,"nixbld5":30005,"nixbld6":30006,"nixbld7":30007,"nixbld8":30008,"nixbld9":30009,"nm-iodine":999,"nm-openvpn":217,"nobody":65534,"nscd":998,"polkituser":28,"root":0,"rtkit":997,"sddm":175,"systemd-coredump":151,"systemd-journal-gateway":110,"systemd-network":152,"systemd-oom":996,"systemd-resolve":153,"systemd-timesync":154,"usbmux":995}

(with no trailing newline). In case it helps here’s that same data with one CSV per line:

"colord":994,
"cups":36,
"dhcpcd":993,
"jbb":1000,
"jeff":1001,
"lightdm":78,
"messagebus":4,
"nixbld1":30001,
"nixbld10":30010,
"nixbld11":30011,
"nixbld12":30012,
"nixbld13":30013,
"nixbld14":30014,
"nixbld15":30015,
"nixbld16":30016,
"nixbld17":30017,
"nixbld18":30018,
"nixbld19":30019,
"nixbld2":30002,
"nixbld20":30020,
"nixbld21":30021,
"nixbld22":30022,
"nixbld23":30023,
"nixbld24":30024,
"nixbld25":30025,
"nixbld26":30026,
"nixbld27":30027,
"nixbld28":30028,
"nixbld29":30029,
"nixbld3":30003,
"nixbld30":30030,
"nixbld31":30031,
"nixbld32":30032,
"nixbld4":30004,
"nixbld5":30005,
"nixbld6":30006,
"nixbld7":30007,
"nixbld8":30008,
"nixbld9":30009,
"nm-iodine":999,
"nm-openvpn":217,
"nobody":65534,
"nscd":998,
"polkituser":28,
"root":0,
"rtkit":997,
"sddm":175,
"systemd-coredump":151,
"systemd-journal-gateway":110,
"systemd-network":152,
"systemd-oom":996,
"systemd-resolve":153,
"systemd-timesync":154,
"usbmux":995

I don’t see anything like this in your Git history, but did you by chance at some point recently attempt to rename your jeff user to jbb? That’s the only thing I can think of that would cause this.

If NixOS at any point assigned a UID to a name, that UID takes precedence forever over any UIDs assigned via configuration. This is persisted in /var/lib/nixos/uid-map. It should in theory be possible to edit that file to remove any mappings that you want NixOS to forget or regenerate from configuration. But of course, if that changes your jeff user’s UID from 1001 to 1000, you’ll probably have to deal with chowning all of your files (back?) to the correct UID.

It wouldn’t have been recently, but maybe I did last year. (I rebuild the system at least weekly.)

I don’t mind doing a big recursive chmod. But if I edit /var/lib/nixos/uid-map, is there any chance I might get locked out? (When I open a new text-only console from KDE using Ctrl-Alt-F2, I can login as root, so I assume even if both jbb and jeff stop working as users I can still use that to fix everything, right?)

When I look for files owned by UID 1000, I find a lot of docker overlays (and nothing else):

                                                                                                       
[root@jbb-hp24-oled:/]# find / -xdev -uid 1000 2>/dev/null                    /var/lib/docker/overlay2/8029713805e5fa2dcd1e805dc22d8124645efe67c2cfc7c8cbbd2
e3668e93a0a/diff/home/jeff                                                    
/var/lib/docker/overlay2/m19ku0a61hjyxy8bl0pb75r3h/diff/home/jeff             
/var/lib/docker/overlay2/663289cbeab860c3cdcfe9bb4fcb692e91562551ae8e19aa649a9
ca11420f5c7/diff/home/ubuntu                                                  
/var/lib/docker/overlay2/663289cbeab860c3cdcfe9bb4fcb692e91562551ae8e19aa649a9
ca11420f5c7/diff/home/ubuntu/.bashrc                 
...

In a situation where I don’t entirely understand what has happened, I wouldn’t let myself say there’s no chance (if I were you, I would do a quick check of my backups before trying it), but I wouldn’t expect that to happen, since authentication is generally keyed off of user name and not UID. And yes, being able to login as root should get you out of any mishaps that haven’t broken your store.

Done! Thanks!

For anyone who needs the story: I logged out of KDE and then back in but as root, deleted both existing ordinary users (jbb and jeff), chowned everything that was owned by 1001 to 1000,
rebuilt and got a warning about NixOS not wanting to touch /etc/passwd, futzed around with a few more manual configurations (I didn’t take notes, sorry! but it was to bring /etc/passwd in line with the other changes), rebuilt again and got no warnings, and now I can log in as jeff=1000 to KDE with Plasma 6.