3 files changed, 21 insertions, 8 deletions

diff --git a/modules/system/shells.nix b/modules/system/shells.nix
index 0b599d9..025936d 100644
--- a/modules/system/shells.nix
+++ b/modules/system/shells.nix
@@ -14,9 +14,15 @@ in
       example = literalExpression "[ pkgs.bashInteractive pkgs.zsh ]";
       description = ''
         A list of permissible login shells for user accounts.
-        No need to mention `/bin/sh`
-        and other shells that are available by default on
-        macOS.
+
+        The default macOS shells will be automatically included:
+          - /bin/bash
+          - /bin/csh
+          - /bin/dash
+          - /bin/ksh
+          - /bin/sh
+          - /bin/tcsh
+          - /bin/zsh
       '';
       apply = map (v: if types.shellPackage.check v then "/run/current-system/sw${v.shellPath}" else v);
     };
diff --git a/modules/users/default.nix b/modules/users/default.nix
index 0b2ffd9..aee8fec 100644
--- a/modules/users/default.nix
+++ b/modules/users/default.nix
@@ -242,7 +242,7 @@ in
               "-GID" v.gid ]
               ++ (lib.optionals (v.description != null) [ "-fullName" v.description ])
               ++ (lib.optionals (v.home != null) [ "-home" v.home ])
-              ++ [ "-shell" (shellPath v.shell) ])} 2> /dev/null
+              ++ [ "-shell" (if v.shell != null then shellPath v.shell else "/usr/bin/false") ])} 2> /dev/null
 
             # We need to check as `sysadminctl -addUser` still exits with exit code 0 when there's an error
             if ! id ${name} &> /dev/null; then
@@ -260,7 +260,7 @@ in
           # Update properties on known users to keep them inline with configuration
           dscl . -create ${dsclUser} PrimaryGroupID ${toString v.gid}
           ${optionalString (v.description != null) "dscl . -create ${dsclUser} RealName ${lib.escapeShellArg v.description}"}
-          dscl . -create ${dsclUser} UserShell ${lib.escapeShellArg (shellPath v.shell)}
+          ${optionalString (v.shell != null) "dscl . -create ${dsclUser} UserShell ${lib.escapeShellArg (shellPath v.shell)}"}
         fi
       '') createdUsers}
 
diff --git a/modules/users/user.nix b/modules/users/user.nix
index 281b7e6..72ae07b 100644
--- a/modules/users/user.nix
+++ b/modules/users/user.nix
@@ -73,10 +73,17 @@
     };
 
     shell = mkOption {
-      type = types.either types.shellPackage types.path;
-      default = "/usr/bin/false";
+      type = types.nullOr (types.either types.shellPackage types.path);
+      default = null;
       example = literalExpression "pkgs.bashInteractive";
-      description = "The user's shell.";
+      description = ''
+        The user's shell. This defaults to `null`.
+
+        When this is set to `null`, if the user has not been created yet,
+        they will be created with the shell `/usr/bin/false` to prevent
+        interactive login. If the user already exists, the value is
+        considered managed by macOS and `nix-darwin` will not change it.
+      '';
     };
 
     packages = mkOption {