feat: Add option to disable root at the system level

Reduces complexity in the containers module.
2024-11-25 17:53:17 +01:00 · 2024-04-06 19:28:20 -04:00 · 2024-04-06 19:28:20 -04:00 · 534476e97b
commit 534476e97b
parent bd6fabad67
2 changed files with 10 additions and 17 deletions
--- a/containers/shared.nix
+++ b/containers/shared.nix
@ -1,8 +1,3 @@
-{ lib, config, ... }:
-
-let
-  inherit (config.modules.system) username;
-in
 {
  imports = [
    ../modules/shell.nix
@ -21,6 +16,10 @@ in
    ../home/yazi.nix
  ];

+  modules = {
+    system.noRoot = true;
+  };
+
  environment = {
    defaultPackages = [ ];
    variables.TERM = "xterm-kitty";
@ -41,14 +40,5 @@ in
    };
  };

-  users = {
-    allowNoPasswordLogin = true;
-
-    users.${username} = {
-      password = lib.mkForce null;
-      extraGroups = lib.mkForce [ ];
-    };
-  };
-
  hardware.opengl.enable = true;
 }
--- a/modules/system.nix
+++ b/modules/system.nix
@ -4,7 +4,7 @@ let
  inherit (lib) mkOption mkEnableOption mkIf;
  inherit (lib.types) nullOr str listOf;
  inherit (pkgs.nixVersions) nix_2_19;
-  inherit (cfg) username iHaveLotsOfRam hashedPassword mullvad allowSRB2Port allowZolaPort;
+  inherit (cfg) username iHaveLotsOfRam hashedPassword mullvad allowSRB2Port allowZolaPort noRoot;
  inherit (builtins) attrValues;

  cfg = config.modules.system;
@ -52,6 +52,8 @@ in
      default = "nixos";
    };

+    noRoot = mkEnableOption "disable access to root";
+
    mullvad = mkEnableOption "mullvad vpn";

    allowSRB2Port = mkEnableOption "port for srb2";
@ -111,14 +113,15 @@ in

    users = {
      mutableUsers = false;
+      allowNoPasswordLogin = mkIf noRoot true;

      users.${username} = {
        inherit hashedPassword;

        isNormalUser = true;
        uid = 1000;
-        password = mkIf (hashedPassword == null) username;
-        extraGroups = [ "wheel" "networkmanager" ];
+        password = mkIf (hashedPassword == null && !noRoot) username;
+        extraGroups = if noRoot then [ ] else [ "wheel" "networkmanager" ];
      };
    };