|
|
|
@ -449,16 +449,10 @@ in { |
|
|
|
|
imports = [ |
|
|
|
|
(mkAliasOptionModule [ "users" "extraUsers" ] [ "users" "users" ]) |
|
|
|
|
(mkAliasOptionModule [ "users" "extraGroups" ] [ "users" "groups" ]) |
|
|
|
|
(mkChangedOptionModule |
|
|
|
|
[ "security" "initialRootPassword" ] |
|
|
|
|
[ "users" "users" "root" "initialHashedPassword" ] |
|
|
|
|
(cfg: if cfg.security.initialRootPassword == "!" |
|
|
|
|
then null |
|
|
|
|
else cfg.security.initialRootPassword)) |
|
|
|
|
(mkRenamedOptionModule ["security" "initialRootPassword"] ["users" "users" "root" "initialHashedPassword"]) |
|
|
|
|
]; |
|
|
|
|
|
|
|
|
|
###### interface |
|
|
|
|
|
|
|
|
|
options = { |
|
|
|
|
|
|
|
|
|
users.mutableUsers = mkOption { |
|
|
|
@ -526,6 +520,17 @@ in { |
|
|
|
|
''; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
users.allowNoPasswordLogin = mkOption { |
|
|
|
|
type = types.bool; |
|
|
|
|
default = false; |
|
|
|
|
description = '' |
|
|
|
|
Disable checking that at least the <literal>root</literal> user or a user in the <literal>wheel</literal> group can log in using |
|
|
|
|
a password or an SSH key. |
|
|
|
|
|
|
|
|
|
WARNING: enabling this can lock you out of your system. Enable this only if you know what are you doing. |
|
|
|
|
''; |
|
|
|
|
}; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -540,6 +545,7 @@ in { |
|
|
|
|
home = "/root"; |
|
|
|
|
shell = mkDefault cfg.defaultUserShell; |
|
|
|
|
group = "root"; |
|
|
|
|
initialHashedPassword = mkDefault "!"; |
|
|
|
|
}; |
|
|
|
|
nobody = { |
|
|
|
|
uid = ids.uids.nobody; |
|
|
|
@ -616,9 +622,11 @@ in { |
|
|
|
|
# there is at least one "privileged" account that has a |
|
|
|
|
# password or an SSH authorized key. Privileged accounts are |
|
|
|
|
# root and users in the wheel group. |
|
|
|
|
assertion = !cfg.mutableUsers -> |
|
|
|
|
any id ((mapAttrsToList (_: cfg: |
|
|
|
|
(cfg.name == "root" |
|
|
|
|
# The check does not apply when users.disableLoginPossibilityAssertion |
|
|
|
|
# The check does not apply when users.mutableUsers |
|
|
|
|
assertion = !cfg.mutableUsers -> !cfg.allowNoPasswordLogin -> |
|
|
|
|
any id (mapAttrsToList (name: cfg: |
|
|
|
|
(name == "root" |
|
|
|
|
|| cfg.group == "wheel" |
|
|
|
|
|| elem "wheel" cfg.extraGroups) |
|
|
|
|
&& |
|
|
|
@ -629,10 +637,14 @@ in { |
|
|
|
|
|| cfg.openssh.authorizedKeys.keyFiles != []) |
|
|
|
|
) cfg.users) ++ [ |
|
|
|
|
config.security.googleOsLogin.enable |
|
|
|
|
]); |
|
|
|
|
]; |
|
|
|
|
message = '' |
|
|
|
|
Neither the root account nor any wheel user has a password or SSH authorized key. |
|
|
|
|
You must set one to prevent being locked out of your system.''; |
|
|
|
|
You must set one to prevent being locked out of your system. |
|
|
|
|
If you really want to be locked out of your system, set users.allowNoPasswordLogin = true; |
|
|
|
|
However you are most probably better off by setting users.mutableUsers = true; and |
|
|
|
|
manually running passwd root to set the root password. |
|
|
|
|
''; |
|
|
|
|
} |
|
|
|
|
] ++ flatten (flip mapAttrsToList cfg.users (name: user: |
|
|
|
|
[ |
|
|
|
|