extern/nix-config
1
0
Fork 1
mirror of https://github.com/donovanglover/nix-config.git synced 2025-02-18 02:31:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: Add option to disable root at the system level

Browse Source 
Reduces complexity in the containers module.
This commit is contained in:
Donovan Glover 2024-04-06 19:28:20 -04:00
parent bd6fabad67
commit 534476e97b
No known key found for this signature in database
GPG Key ID: EA7408A77AE1BE65
2 changed files with 10 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
containers/shared.nix
View File

@ -1,8 +1,3 @@
{ lib, config, ... }:
let
inherit (config.modules.system) username;
in
{ {
imports = [ imports = [
../modules/shell.nix ../modules/shell.nix
@ -21,6 +16,10 @@ in
../home/yazi.nix ../home/yazi.nix
]; ];
modules = {
system.noRoot = true;
};
environment = { environment = {
defaultPackages = [ ]; defaultPackages = [ ];
variables.TERM = "xterm-kitty"; variables.TERM = "xterm-kitty";
@ -41,14 +40,5 @@ in
}; };
}; };
users = {
allowNoPasswordLogin = true;
users.${username} = {
password = lib.mkForce null;
extraGroups = lib.mkForce [ ];
};
};
hardware.opengl.enable = true; hardware.opengl.enable = true;
} }

9
modules/system.nix
View File

@ -4,7 +4,7 @@ let
inherit (lib) mkOption mkEnableOption mkIf; inherit (lib) mkOption mkEnableOption mkIf;
inherit (lib.types) nullOr str listOf; inherit (lib.types) nullOr str listOf;
inherit (pkgs.nixVersions) nix_2_19; inherit (pkgs.nixVersions) nix_2_19;
inherit (cfg) username iHaveLotsOfRam hashedPassword mullvad allowSRB2Port allowZolaPort; inherit (cfg) username iHaveLotsOfRam hashedPassword mullvad allowSRB2Port allowZolaPort noRoot;
inherit (builtins) attrValues; inherit (builtins) attrValues;
cfg = config.modules.system; cfg = config.modules.system;
@ -52,6 +52,8 @@ in
default = "nixos"; default = "nixos";
}; };
noRoot = mkEnableOption "disable access to root";
mullvad = mkEnableOption "mullvad vpn"; mullvad = mkEnableOption "mullvad vpn";
allowSRB2Port = mkEnableOption "port for srb2"; allowSRB2Port = mkEnableOption "port for srb2";
@ -111,14 +113,15 @@ in
users = { users = {
mutableUsers = false; mutableUsers = false;
allowNoPasswordLogin = mkIf noRoot true;
users.${username} = { users.${username} = {
inherit hashedPassword; inherit hashedPassword;
isNormalUser = true; isNormalUser = true;
uid = 1000; uid = 1000;
password = mkIf (hashedPassword == null) username; password = mkIf (hashedPassword == null && !noRoot) username;
extraGroups = [ "wheel" "networkmanager" ]; extraGroups = if noRoot then [ ] else [ "wheel" "networkmanager" ];
}; };
}; };