post(nixos): rename passwordFile to hashedPasswordFile

introduced in nixos v23.11
This commit is contained in:
Ming Di Leom 2024-07-25 11:06:56 +00:00
parent f038f71a97
commit 4b09ff2d36
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 5 additions and 5 deletions

View File

@ -69,14 +69,14 @@ printf "Password: " && read -s var && mkpasswd "$var" '$y$parameter$salt$' && va
Replace the single-quoted value `''` with the copied value. It should have similar output as the previous mkpasswd.
### passwordFile
### hashedPasswordFile
Note that the hash is still world-readable. A more secure option is to use `users.<name>.passwordFile`. Save the hash into a file (e.g. "/etc/nixos/nixos.password") and restricts the file to be readable by root only (`chown root:root` and `chmod 600`).
Note that the hash is still world-readable. A more secure option is to use `users.<name>.hashedPasswordFile`. Save the hash into a file (e.g. "/etc/nixos/nixos.password") and restricts the file to be readable by root only (`chown root:root` and `chmod 600`).
You might be wondering why not just `passwordFile` during installation. The issue is that, in the live CD environment, the "/etc/" folder refers to the live CD's not the actual one which is located in "/mnt/etc/". I mean, you _could_ try "/mnt/etc/nixos/nixos.password", but remember to update the option after reboot otherwise you would get locked out. "./nixos.password" value doesn't work because `passwordFile` option doesn't support relative path, it must be a full path. Hence, I have to use `hashedPassword` during the initial setup and then switch to `passwordFile`. Remember to remove the `hashedPassword` option once you have set up `passwordFile`.
You might be wondering why not just `hashedPasswordFile` during installation. The issue is that, in the live CD environment, the "/etc/" folder refers to the live CD's not the actual one which is located in "/mnt/etc/". I mean, you _could_ try "/mnt/etc/nixos/nixos.password", but remember to update the option after reboot otherwise you would get locked out. "./nixos.password" value doesn't work because `hashedPasswordFile` option doesn't support relative path, it must be a full path. Hence, I have to use `hashedPassword` during the initial setup and then switch to `hashedPasswordFile`. Remember to remove the `hashedPassword` option once you have set up `hashedPasswordFile`.
```nix
passwordFile = "/etc/nixos/nixos.password";
hashedPasswordFile = "/etc/nixos/nixos.password";
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
```
@ -614,7 +614,7 @@ Since [unattended upgrade](#unattended-upgrade) is executed on 00:00, I delay ga
hashedPassword = "*"; # Disable root password
};
nixos = {
passwordFile = "/etc/nixos/nixos.password";
hashedPasswordFile = "/etc/nixos/nixos.password";
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
};