diff options
author | worldofpeace <worldofpeace@protonmail.ch> | 2019-08-07 23:34:41 -0400 |
---|---|---|
committer | worldofpeace <worldofpeace@protonmail.ch> | 2019-08-12 14:45:27 -0400 |
commit | 397c7d26fcb001ce5e1e3c53a3366524c4f91bf9 (patch) | |
tree | 8b9833f37118db3800dd3aa6705f6ded9755e961 /nixos/modules/profiles | |
parent | 1c709e0e6c037961cea0b3206d1f850e2e1ad636 (diff) | |
download | nixlib-397c7d26fcb001ce5e1e3c53a3366524c4f91bf9.tar nixlib-397c7d26fcb001ce5e1e3c53a3366524c4f91bf9.tar.gz nixlib-397c7d26fcb001ce5e1e3c53a3366524c4f91bf9.tar.bz2 nixlib-397c7d26fcb001ce5e1e3c53a3366524c4f91bf9.tar.lz nixlib-397c7d26fcb001ce5e1e3c53a3366524c4f91bf9.tar.xz nixlib-397c7d26fcb001ce5e1e3c53a3366524c4f91bf9.tar.zst nixlib-397c7d26fcb001ce5e1e3c53a3366524c4f91bf9.zip |
installer: Don't run as root
There's many reason why it is and is going to continue to be difficult to do this: 1. All display-managers (excluding slim) default PAM rules disallow root auto login. 2. We can't use wayland 3. We have to use system-wide pulseaudio 4. It could break applications in the session. This happened to dolphin in plasma5 in the past. This is a growing technical debt, let's just use passwordless sudo.
Diffstat (limited to 'nixos/modules/profiles')
-rw-r--r-- | nixos/modules/profiles/installation-device.nix | 27 |
1 files changed, 20 insertions, 7 deletions
diff --git a/nixos/modules/profiles/installation-device.nix b/nixos/modules/profiles/installation-device.nix index 580ea4a58e5b..1a6e06995603 100644 --- a/nixos/modules/profiles/installation-device.nix +++ b/nixos/modules/profiles/installation-device.nix @@ -32,19 +32,35 @@ with lib; #services.rogue.enable = true; # Disable some other stuff we don't need. - security.sudo.enable = mkDefault false; services.udisks2.enable = mkDefault false; + # Use less privileged nixos user + users.users.nixos = { + isNormalUser = true; + extraGroups = [ "wheel" "networkmanager" "video" ]; + # Allow the graphical user to login without password + initialHashedPassword = ""; + }; + + # Allow the user to log in as root without a password. + users.users.root.initialHashedPassword = ""; + + # Allow passwordless sudo from nixos user + security.sudo = { + enable = mkDefault true; + wheelNeedsPassword = mkForce false; + }; + # Automatically log in at the virtual consoles. - services.mingetty.autologinUser = "root"; + services.mingetty.autologinUser = "nixos"; # Some more help text. services.mingetty.helpLine = '' - The "root" account has an empty password. ${ + The "nixos" and "root" account have empty passwords. ${ optionalString config.services.xserver.enable - "Type `systemctl start display-manager' to\nstart the graphical user interface."} + "Type `sudo systemctl start display-manager' to\nstart the graphical user interface."} ''; # Allow sshd to be started manually through "systemctl start sshd". @@ -86,8 +102,5 @@ with lib; # because we have the firewall enabled. This makes installs from the # console less cumbersome if the machine has a public IP. networking.firewall.logRefusedConnections = mkDefault false; - - # Allow the user to log in as root without a password. - users.users.root.initialHashedPassword = ""; }; } |