mirror of https://gitlab.com/curben/blog
post(nixos-part-2): passwordFile quirk
This commit is contained in:
parent
eedb5241a1
commit
91cc8e78e3
|
@ -45,6 +45,8 @@ Use `openssl passwd -6` to generate the SHA512-hashed password. Alternatively, i
|
|||
|
||||
Note that the hash is still world-readable. A more secure option is to use `users.<name>.passwordFile`. Save the hash into a file (e.g. "/etc/nixos/nixos.password") and restricts the file to be readable by root only (`chown root:root` and `chmod 600`).
|
||||
|
||||
You might be wondering why not just `passwordFile` during installation. The issue is that, in the live CD environment, the "/etc/" folder refers to the live CD's not the actual one which is located in "/mnt/etc/". I mean, you _could_ try "/mnt/etc/nixos/nixos.password", but you gotta remember to update the option after reboot otherwise you would get locked out. "./nixos.password" value doesn't work because `passwordFile` option doesn't support relative path, it must be a full path. Hence, I have use `hashedPassword` during the initial setup and then switch to `passwordFile`. Remember to remove the `hashedPassword` option once you have set up `passwordFile`.
|
||||
|
||||
``` js
|
||||
passwordFile = "/etc/nixos/nixos.password";
|
||||
isNormalUser = true;
|
||||
|
@ -53,6 +55,14 @@ Note that the hash is still world-readable. A more secure option is to use `user
|
|||
|
||||
I enable `isNormalUser` which includes sane defaults (disable "isSystemUser", create a home folder in "/home/nixos/" and enable shell). Since root account is disabled, you definitely need to add the user to `wheel` group so that it can use `sudo`.
|
||||
|
||||
Once you run `# nixos-rebuild switch`, verify the password has been set, by checking the `/etc/shadow`.
|
||||
|
||||
```
|
||||
# cat /etc/shadow | grep 'nixos'
|
||||
```
|
||||
|
||||
The hash in the output should be the same as the "/etc/nixos/nixos.password" file. Only quit root shell **after** verify.
|
||||
|
||||
## Run each service as different user
|
||||
|
||||
For separation of privilege, each service is launched with different user under different group. Shell is disabled for those users. In this case, I have "caddyProxy" to run the Caddy reverse proxy for mdleom.com, "caddyTor" for the reverse proxy to be connected to Tor and "tor" for the Tor hidden service. Caddy package does create "caddy" user by default in its ["caddy.nix"](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/web-servers/caddy.nix), but I prefer to use my own "caddy.nix" which has less permissions granted. "tor" user will be created automatically by the Tor package, but I need to import the private key and assign it to the "tor" user before I can enable the service, hence I create the user beforehand.
|
||||
|
|
Loading…
Reference in New Issue