From b33bf6b99a4b3d6771013cb99ed230f9a8682e95 Mon Sep 17 00:00:00 2001 From: Eduard Bachmakov Date: Tue, 13 Aug 2024 10:56:32 +0200 Subject: [PATCH] nixos/systemd/initrd: Fix emergencyAccess to work with `null`. Implementation is now compatible with the option's .type already defined. This allows us to pass `config.users.users..hashedPassword` even if this is null (the default). Before: true => access false => no access hash => access via password null => eval error After: true => access false => no access hash => access via password null => no access --- nixos/modules/system/boot/systemd/initrd.nix | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index 9ddfcf6c1ba6..af0ecb4bf7ce 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -226,8 +226,8 @@ in { emergencyAccess = mkOption { type = with types; oneOf [ bool (nullOr (passwdEntry str)) ]; description = '' - Set to true for unauthenticated emergency access, and false for - no emergency access. + Set to true for unauthenticated emergency access, and false or + null for no emergency access. Can also be set to a hashed super user password to allow authenticated access to the emergency mode. @@ -429,7 +429,12 @@ in { # We can use either ! or * to lock the root account in the # console, but some software like OpenSSH won't even allow you # to log in with an SSH key if you use ! so we use * instead - "/etc/shadow".text = "root:${if isBool cfg.emergencyAccess then optionalString (!cfg.emergencyAccess) "*" else cfg.emergencyAccess}:::::::"; + "/etc/shadow".text = let + ea = cfg.emergencyAccess; + access = ea != null && !(isBool ea && !ea); + passwd = if isString ea then ea else ""; + in + "root:${if access then passwd else "*"}:::::::"; "/bin".source = "${initrdBinEnv}/bin"; "/sbin".source = "${initrdBinEnv}/bin";