diff options
| author | worldofpeace <worldofpeace@protonmail.ch> | 2019-08-07 23:34:41 -0400 |
|---|---|---|
| committer | worldofpeace <worldofpeace@protonmail.ch> | 2019-08-12 14:45:27 -0400 |
| commit | 397c7d26fcb001ce5e1e3c53a3366524c4f91bf9 (patch) | |
| tree | 8b9833f37118db3800dd3aa6705f6ded9755e961 /nixos/modules/profiles | |
| parent | 1c709e0e6c037961cea0b3206d1f850e2e1ad636 (diff) | |
installer: Don't run as root
There's many reason why it is and is going to
continue to be difficult to do this:
1. All display-managers (excluding slim) default PAM rules
disallow root auto login.
2. We can't use wayland
3. We have to use system-wide pulseaudio
4. It could break applications in the session.
This happened to dolphin in plasma5
in the past.
This is a growing technical debt, let's just use
passwordless sudo.
Diffstat (limited to 'nixos/modules/profiles')
| -rw-r--r-- | nixos/modules/profiles/installation-device.nix | 27 |
1 files changed, 20 insertions, 7 deletions
diff --git a/nixos/modules/profiles/installation-device.nix b/nixos/modules/profiles/installation-device.nix index 580ea4a58e5b..1a6e06995603 100644 --- a/nixos/modules/profiles/installation-device.nix +++ b/nixos/modules/profiles/installation-device.nix @@ -32,19 +32,35 @@ with lib; #services.rogue.enable = true; # Disable some other stuff we don't need. - security.sudo.enable = mkDefault false; services.udisks2.enable = mkDefault false; + # Use less privileged nixos user + users.users.nixos = { + isNormalUser = true; + extraGroups = [ "wheel" "networkmanager" "video" ]; + # Allow the graphical user to login without password + initialHashedPassword = ""; + }; + + # Allow the user to log in as root without a password. + users.users.root.initialHashedPassword = ""; + + # Allow passwordless sudo from nixos user + security.sudo = { + enable = mkDefault true; + wheelNeedsPassword = mkForce false; + }; + # Automatically log in at the virtual consoles. - services.mingetty.autologinUser = "root"; + services.mingetty.autologinUser = "nixos"; # Some more help text. services.mingetty.helpLine = '' - The "root" account has an empty password. ${ + The "nixos" and "root" account have empty passwords. ${ optionalString config.services.xserver.enable - "Type `systemctl start display-manager' to\nstart the graphical user interface."} + "Type `sudo systemctl start display-manager' to\nstart the graphical user interface."} ''; # Allow sshd to be started manually through "systemctl start sshd". @@ -86,8 +102,5 @@ with lib; # because we have the firewall enabled. This makes installs from the # console less cumbersome if the machine has a public IP. networking.firewall.logRefusedConnections = mkDefault false; - - # Allow the user to log in as root without a password. - users.users.root.initialHashedPassword = ""; }; } |