Commit b33bf6b9 authored by Eduard Bachmakov's avatar Eduard Bachmakov
Browse files

nixos/systemd/initrd: Fix emergencyAccess to work with `null`. 

Implementation is now compatible with the option's .type already defined.

This allows us to pass `config.users.users.<user>.hashedPassword` even if this is null (the default).

Before:
true  => access
false => no access
hash  => access via password
null  => eval error

After:
true  => access
false => no access
hash  => access via password
null  => no access
parent 5e0ca229

nixos/modules/system/boot/systemd/initrd.nix

+8 −3
Original line number Diff line number Diff line
@@ -226,8 +226,8 @@ in { 
    emergencyAccess = mkOption {

      type = with types; oneOf [ bool (nullOr (passwdEntry str)) ];

      description = ''

        Set to true for unauthenticated emergency access, and false for

        no emergency access.

        Set to true for unauthenticated emergency access, and false or

        null for no emergency access.



        Can also be set to a hashed super user password to allow

        authenticated access to the emergency mode.
@@ -429,7 +429,12 @@ in { 
        # We can use either ! or * to lock the root account in the

        # console, but some software like OpenSSH won't even allow you

        # to log in with an SSH key if you use ! so we use * instead

        "/etc/shadow".text = "root:${if isBool cfg.emergencyAccess then optionalString (!cfg.emergencyAccess) "*" else cfg.emergencyAccess}:::::::";

        "/etc/shadow".text = let

          ea = cfg.emergencyAccess;

          access = ea != null && !(isBool ea && !ea);

          passwd = if isString ea then ea else "";

        in

          "root:${if access then passwd else "*"}:::::::";



        "/bin".source = "${initrdBinEnv}/bin";

        "/sbin".source = "${initrdBinEnv}/bin";