From c803c1aee5fe5f9386587b217377b35cd2bde070 Mon Sep 17 00:00:00 2001 From: MDLeom <2809763-curben@users.noreply.gitlab.com> Date: Thu, 5 Mar 2020 07:10:32 +0000 Subject: [PATCH] post(nixos-part-2): passwordFile option --- source/_posts/caddy-nixos-part-2.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/source/_posts/caddy-nixos-part-2.md b/source/_posts/caddy-nixos-part-2.md index e3eddc9..12cf77f 100644 --- a/source/_posts/caddy-nixos-part-2.md +++ b/source/_posts/caddy-nixos-part-2.md @@ -35,16 +35,18 @@ users.root.hashedPassword = "*"; ## Hash user's password -User's password can be configured by `users..password`, obviously this means the password is stored in plain text. Even if you lock down `configuration.nix` with `chmod 600` (which I did), "it is (still) world-readable in the Nix store". The safer way is to store in the hashed form, +User's password can be configured by `users..password`, obviously this means the password is stored in plain text. Even if you lock down `configuration.nix` with `chmod 600` (which I did), "it is (still) world-readable in the Nix store". The safer way is to store in a hashed form, ``` js users..hashedPassword = "xxxx"; ``` -Use `mkpasswd -m sha-512` to generate the hash. If you are using Ubuntu, it can (only?) be installed through the `whois` package. Other distros may simply install `mkpasswd` directly. +Use `openssl passwd -6` to generate the SHA512-hashed password. Alternatively, if your distro bundles it (Ubuntu doesn't), you could also use `mkpasswd -m sha-512`, but do enter the password with care because it only prompts once (unlike openssl which prompts twice). + +Note that the hash is still world-readable. A more secure option is to use `users..passwordFile`. Save the hash into a file (e.g. "/etc/nixos/nixos.password") and restricts the file to be readable by root only (`chown root:root` and `chmod 600`). ``` js - hashedPassword = "xxxx"; + passwordFile = "/etc/nixos/nixos.password"; isNormalUser = true; extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. ```