nixos/users:added users.allowLoginless

Correct the assertion logic Fixed indentation Better wording od allowLoginless' description Co-authored-by: Eelco Dolstra <edolstra@gmail.com> Better formatting Co-authored-by: Eelco Dolstra <edolstra@gmail.com> allowLoginless -> allowNoPasswordLogin Clarified users.allowNoPasswordLogin's description Clarified assertion expression Co-authored-by: Robert Hensing <roberth@users.noreply.github.com> Reworded assertion message to gude to safer alternative
5 years ago · 07abf6942f
parent 0ab30f0ddc
commit 07abf6942f
1 changed files with 24 additions and 12 deletions
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@ -449,16 +449,10 @@ in {
  imports = [
    (mkAliasOptionModule [ "users" "extraUsers" ] [ "users" "users" ])
    (mkAliasOptionModule [ "users" "extraGroups" ] [ "users" "groups" ])
-    (mkChangedOptionModule
-      [ "security" "initialRootPassword" ]
-      [ "users" "users" "root" "initialHashedPassword" ]
-      (cfg: if cfg.security.initialRootPassword == "!"
-            then null
-            else cfg.security.initialRootPassword))
+    (mkRenamedOptionModule ["security" "initialRootPassword"] ["users" "users" "root" "initialHashedPassword"])
  ];

  ###### interface
-
  options = {

    users.mutableUsers = mkOption {
@ -526,6 +520,17 @@ in {
      '';
    };

+
+    users.allowNoPasswordLogin = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Disable checking that at least the <literal>root</literal> user or a user in the <literal>wheel</literal> group can log in using
+        a password or an SSH key.
+
+        WARNING: enabling this can lock you out of your system. Enable this only if you know what are you doing.
+      '';
+    };
  };


@ -540,6 +545,7 @@ in {
        home = "/root";
        shell = mkDefault cfg.defaultUserShell;
        group = "root";
+        initialHashedPassword = mkDefault "!";
      };
      nobody = {
        uid = ids.uids.nobody;
@ -616,9 +622,11 @@ in {
        # there is at least one "privileged" account that has a
        # password or an SSH authorized key. Privileged accounts are
        # root and users in the wheel group.
-        assertion = !cfg.mutableUsers ->
-          any id ((mapAttrsToList (_: cfg:
-            (cfg.name == "root"
+        # The check does not apply when users.disableLoginPossibilityAssertion
+        # The check does not apply when users.mutableUsers
+        assertion = !cfg.mutableUsers -> !cfg.allowNoPasswordLogin ->
+          any id (mapAttrsToList (name: cfg:
+            (name == "root"
             || cfg.group == "wheel"
             || elem "wheel" cfg.extraGroups)
            &&
@ -629,10 +637,14 @@ in {
             || cfg.openssh.authorizedKeys.keyFiles != [])
          ) cfg.users) ++ [
            config.security.googleOsLogin.enable
-          ]);
+          ];
        message = ''
          Neither the root account nor any wheel user has a password or SSH authorized key.
-          You must set one to prevent being locked out of your system.'';
+          You must set one to prevent being locked out of your system.
+          If you really want to be locked out of your system, set users.allowNoPasswordLogin = true;
+          However you are most probably better off by setting users.mutableUsers = true; and
+          manually running passwd root to set the root password.
+          '';
      }
    ] ++ flatten (flip mapAttrsToList cfg.users (name: user:
      [