nixos/users:added users.allowLoginless
Correct the assertion logic Fixed indentation Better wording od allowLoginless' description Co-authored-by: Eelco Dolstra <edolstra@gmail.com> Better formatting Co-authored-by: Eelco Dolstra <edolstra@gmail.com> allowLoginless -> allowNoPasswordLogin Clarified users.allowNoPasswordLogin's description Clarified assertion expression Co-authored-by: Robert Hensing <roberth@users.noreply.github.com> Reworded assertion message to gude to safer alternative
This commit is contained in:
parent
0ab30f0ddc
commit
07abf6942f
@ -449,16 +449,10 @@ in {
|
||||
imports = [
|
||||
(mkAliasOptionModule [ "users" "extraUsers" ] [ "users" "users" ])
|
||||
(mkAliasOptionModule [ "users" "extraGroups" ] [ "users" "groups" ])
|
||||
(mkChangedOptionModule
|
||||
[ "security" "initialRootPassword" ]
|
||||
[ "users" "users" "root" "initialHashedPassword" ]
|
||||
(cfg: if cfg.security.initialRootPassword == "!"
|
||||
then null
|
||||
else cfg.security.initialRootPassword))
|
||||
(mkRenamedOptionModule ["security" "initialRootPassword"] ["users" "users" "root" "initialHashedPassword"])
|
||||
];
|
||||
|
||||
###### interface
|
||||
|
||||
options = {
|
||||
|
||||
users.mutableUsers = mkOption {
|
||||
@ -526,6 +520,17 @@ in {
|
||||
'';
|
||||
};
|
||||
|
||||
|
||||
users.allowNoPasswordLogin = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Disable checking that at least the <literal>root</literal> user or a user in the <literal>wheel</literal> group can log in using
|
||||
a password or an SSH key.
|
||||
|
||||
WARNING: enabling this can lock you out of your system. Enable this only if you know what are you doing.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
@ -540,6 +545,7 @@ in {
|
||||
home = "/root";
|
||||
shell = mkDefault cfg.defaultUserShell;
|
||||
group = "root";
|
||||
initialHashedPassword = mkDefault "!";
|
||||
};
|
||||
nobody = {
|
||||
uid = ids.uids.nobody;
|
||||
@ -616,9 +622,11 @@ in {
|
||||
# there is at least one "privileged" account that has a
|
||||
# password or an SSH authorized key. Privileged accounts are
|
||||
# root and users in the wheel group.
|
||||
assertion = !cfg.mutableUsers ->
|
||||
any id ((mapAttrsToList (_: cfg:
|
||||
(cfg.name == "root"
|
||||
# The check does not apply when users.disableLoginPossibilityAssertion
|
||||
# The check does not apply when users.mutableUsers
|
||||
assertion = !cfg.mutableUsers -> !cfg.allowNoPasswordLogin ->
|
||||
any id (mapAttrsToList (name: cfg:
|
||||
(name == "root"
|
||||
|| cfg.group == "wheel"
|
||||
|| elem "wheel" cfg.extraGroups)
|
||||
&&
|
||||
@ -629,10 +637,14 @@ in {
|
||||
|| cfg.openssh.authorizedKeys.keyFiles != [])
|
||||
) cfg.users) ++ [
|
||||
config.security.googleOsLogin.enable
|
||||
]);
|
||||
];
|
||||
message = ''
|
||||
Neither the root account nor any wheel user has a password or SSH authorized key.
|
||||
You must set one to prevent being locked out of your system.'';
|
||||
You must set one to prevent being locked out of your system.
|
||||
If you really want to be locked out of your system, set users.allowNoPasswordLogin = true;
|
||||
However you are most probably better off by setting users.mutableUsers = true; and
|
||||
manually running passwd root to set the root password.
|
||||
'';
|
||||
}
|
||||
] ++ flatten (flip mapAttrsToList cfg.users (name: user:
|
||||
[
|
||||
|
Loading…
Reference in New Issue
Block a user