diff --git a/nixos/modules/config/update-users-groups.pl b/nixos/modules/config/update-users-groups.pl
index abcb082af8e5..9f91dbe1b569 100644
--- a/nixos/modules/config/update-users-groups.pl
+++ b/nixos/modules/config/update-users-groups.pl
@@ -169,6 +169,12 @@ foreach my $u (@{$spec->{users}}) {
} else {
$u->{uid} = allocUid($u->{isSystemUser}) if !defined $u->{uid};
+ if (defined $u->{initialPassword}) {
+ $u->{hashedPassword} = hashPassword($u->{initialPassword});
+ } elsif (defined $u->{initialHashedPassword}) {
+ $u->{hashedPassword} = $u->{initialHashedPassword};
+ }
+
# Create a home directory.
if ($u->{createHome}) {
make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home};
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix
index 773f9b412afe..43c927cb7692 100644
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@@ -8,19 +8,19 @@ let
cfg = config.users;
passwordDescription = ''
- The options hashedPassword,
- password and passwordFile
+ The options ,
+ and
controls what password is set for the user.
- hashedPassword overrides both
- password and passwordFile.
- password overrides passwordFile.
+ overrides both
+ and .
+ overrides .
If none of these three options are set, no password is assigned to
the user, and the user will not be able to do password logins.
- If the option users.mutableUsers is true, the
+ If the option is true, the
password defined in one of the three options will only be set when
the user is created for the first time. After that, you are free to
change the password with the ordinary user management commands. If
- users.mutableUsers is false, you cannot change
+ is false, you cannot change
user passwords, they will always be set according to the password
options.
'';
@@ -155,7 +155,7 @@ let
default = false;
description = ''
If true, the user's shell will be set to
- cfg.defaultUserShell.
+ .
'';
};
@@ -163,7 +163,7 @@ let
type = with types; uniq (nullOr str);
default = null;
description = ''
- Specifies the (hashed) password for the user.
+ Specifies the hashed password for the user.
${passwordDescription}
'';
};
@@ -191,6 +191,37 @@ let
${passwordDescription}
'';
};
+
+ initialHashedPassword = mkOption {
+ type = with types; uniq (nullOr str);
+ default = null;
+ description = ''
+ Specifies the initial hashed password for the user, i.e. the
+ hashed password assigned if the user does not already
+ exist. If is true, the
+ password can be changed subsequently using the
+ passwd command. Otherwise, it's
+ equivalent to setting the option.
+ '';
+ };
+
+ initialPassword = mkOption {
+ type = with types; uniq (nullOr str);
+ default = null;
+ description = ''
+ Specifies the initial password for the user, i.e. the
+ password assigned if the user does not already exist. If
+ is true, the password
+ can be changed subsequently using the
+ passwd command. Otherwise, it's
+ equivalent to setting the
+ option. The same caveat applies: the password specified here
+ is world-readable in the Nix store, so it should only be
+ used for guest accounts or passwords that will be changed
+ promptly.
+ '';
+ };
+
};
config = mkMerge
@@ -306,7 +337,8 @@ let
users = mapAttrsToList (n: u:
{ inherit (u)
name uid group description home shell createHome isSystemUser
- password passwordFile hashedPassword;
+ password passwordFile hashedPassword
+ initialPassword initialHashedPassword;
}) cfg.extraUsers;
groups = mapAttrsToList (n: g:
{ inherit (g) name gid;