nixos/systemd-sysusers: silently ignores password and hashedPassword

[Princemachiavelli]

Describe the bug

If systemd.sysusers.enable is used with users having passwords set by hashedPassword, the defined password is ignored and the users are provisioned as password-less (i.e "disabled").

Steps To Reproduce

Steps to reproduce the behavior:

1. Enable systemd.sysusers.enable
2. Enable disable users.mutableUsers or enable system.etc.overlay.enable. (I only tested via mutableUsers=false).
3. Test new config (careful!)
4. No user will be able to login via password - including root.

Expected behavior

Users should retain existing password configured via hashedPassword.

The existing users-groups module (./nixos/modules/config/users-groups.nix) actually sets the default opposite of what the new systemd-sysusers module expects. users-groups sets hashedPassword and password based on the initialHashedPassword and initialPassword values while systemd-sysusers only looks in the initial* values. systemd-sysfiles should just look at hasedPassword and password.

The assertions that prevent building a config without any login-able user (locally or via SSH) should be reviewed. I believe they were not triggered because while I did have an SSH public key configured via Nix - the config does not have an SSH server enabled.

[Princemachiavelli]

Also, the default UID of users does not start at 1000 and often results in an UID < 1000. systemd-sysusers doesn't really implement a distinction for isSystemUser or isNormalUser since it's intended to be used only for system users.

One option is to run systemd-sysusers twice; once for "normal" users and once for "system" users. In each call set the range of allowed UID/GID values via the r line option. I think just setting the r line type once will restrict all (dynamic) UID/GID allocations.