forked from mirrors/nixpkgs
a5872edf2f
Right now the UX for installing NixOS on a headless system is very bad. To enable sshd without physical steps users have to have either physical access or need to be very knowledge-able to figure out how to modify the installation image by hand to put an `sshd.service` symlink in the right directory in /nix/store. This is in particular a problem on ARM SBCs (single board computer) but also other hardware where network is the only meaningful way to access the hardware. This commit enables sshd by default. This does not give anyone access to the NixOS installer since by default. There is no user with a non-empty password or key. It makes it easy however to add ssh keys to the installation image (usb stick, sd-card on arm boards) by simply mounting it and adding a keys to `/root/.ssh/authorized_keys`. Importantly this should not require nix/nixos on the machine that prepare the installation device and even feasiable on non-linux systems by using ext4 third party drivers. Potential new threats: Since this enables sshd by default a potential bug in openssh could lead to remote code execution. Openssh has a very good track-record over the last 20 years, which makes it far more likely that Linux itself would have a remote code execution vulnerability. It is trusted by millions of servers on many operating systems to be exposed to the internet by default. Co-authored-by: Samuel Dionne-Riel <samuel@dionne-riel.com>
104 lines
3.5 KiB
Nix
104 lines
3.5 KiB
Nix
# Provide a basic configuration for installation devices like CDs.
|
|
{ config, pkgs, lib, ... }:
|
|
|
|
with lib;
|
|
|
|
{
|
|
imports =
|
|
[ # Enable devices which are usually scanned, because we don't know the
|
|
# target system.
|
|
../installer/scan/detected.nix
|
|
../installer/scan/not-detected.nix
|
|
|
|
# Allow "nixos-rebuild" to work properly by providing
|
|
# /etc/nixos/configuration.nix.
|
|
./clone-config.nix
|
|
|
|
# Include a copy of Nixpkgs so that nixos-install works out of
|
|
# the box.
|
|
../installer/cd-dvd/channel.nix
|
|
];
|
|
|
|
config = {
|
|
|
|
# Enable in installer, even if the minimal profile disables it.
|
|
documentation.enable = mkForce true;
|
|
|
|
# Show the manual.
|
|
documentation.nixos.enable = mkForce true;
|
|
|
|
# Use less privileged nixos user
|
|
users.users.nixos = {
|
|
isNormalUser = true;
|
|
extraGroups = [ "wheel" "networkmanager" "video" ];
|
|
# Allow the graphical user to login without password
|
|
initialHashedPassword = "";
|
|
};
|
|
|
|
# Allow the user to log in as root without a password.
|
|
users.users.root.initialHashedPassword = "";
|
|
|
|
# Allow passwordless sudo from nixos user
|
|
security.sudo = {
|
|
enable = mkDefault true;
|
|
wheelNeedsPassword = mkForce false;
|
|
};
|
|
|
|
# Automatically log in at the virtual consoles.
|
|
services.mingetty.autologinUser = "nixos";
|
|
|
|
# Some more help text.
|
|
services.mingetty.helpLine = ''
|
|
The "nixos" and "root" accounts have empty passwords.
|
|
|
|
An ssh daemon is running. You then must set a password
|
|
for either "root" or "nixos" with `passwd` or add an ssh key
|
|
to /home/nixos/.ssh/authorized_keys be able to login.
|
|
'' + optionalString config.services.xserver.enable ''
|
|
Type `sudo systemctl start display-manager' to
|
|
start the graphical user interface.
|
|
'';
|
|
|
|
# We run sshd by default. Login via root is only possible after adding a
|
|
# password via "passwd" or by adding a ssh key to /home/nixos/.ssh/authorized_keys.
|
|
# The latter one is particular useful if keys are manually added to
|
|
# installation device for head-less systems i.e. arm boards by manually
|
|
# mounting the storage in a different system.
|
|
services.openssh = {
|
|
enable = true;
|
|
permitRootLogin = "yes";
|
|
};
|
|
|
|
# Enable wpa_supplicant, but don't start it by default.
|
|
networking.wireless.enable = mkDefault true;
|
|
systemd.services.wpa_supplicant.wantedBy = mkOverride 50 [];
|
|
|
|
# Tell the Nix evaluator to garbage collect more aggressively.
|
|
# This is desirable in memory-constrained environments that don't
|
|
# (yet) have swap set up.
|
|
environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
|
|
|
|
# Make the installer more likely to succeed in low memory
|
|
# environments. The kernel's overcommit heustistics bite us
|
|
# fairly often, preventing processes such as nix-worker or
|
|
# download-using-manifests.pl from forking even if there is
|
|
# plenty of free memory.
|
|
boot.kernel.sysctl."vm.overcommit_memory" = "1";
|
|
|
|
# To speed up installation a little bit, include the complete
|
|
# stdenv in the Nix store on the CD.
|
|
system.extraDependencies = with pkgs;
|
|
[
|
|
stdenv
|
|
stdenvNoCC # for runCommand
|
|
busybox
|
|
jq # for closureInfo
|
|
];
|
|
|
|
# Show all debug messages from the kernel but don't log refused packets
|
|
# because we have the firewall enabled. This makes installs from the
|
|
# console less cumbersome if the machine has a public IP.
|
|
networking.firewall.logRefusedConnections = mkDefault false;
|
|
};
|
|
}
|