nixos/systemd/initrd: Fix emergencyAccess to work with null.

Implementation is now compatible with the option's .type already defined. This allows us to pass `config.users.users.<user>.hashedPassword` even if this is null (the default). Before: true => access false => no access hash => access via password null => eval error After: true => access false => no access hash => access via password null => no access
2024-09-29 07:32:58 +00:00 · 2024-08-13 10:56:32 +02:00 · 2024-08-13 10:56:32 +02:00 · b33bf6b99a
commit b33bf6b99a
parent 5e0ca22929
1 changed files with 8 additions and 3 deletions
--- a/nixos/modules/system/boot/systemd/initrd.nix
+++ b/nixos/modules/system/boot/systemd/initrd.nix
@ -226,8 +226,8 @@ in {
    emergencyAccess = mkOption {
      type = with types; oneOf [ bool (nullOr (passwdEntry str)) ];
      description = ''
-        Set to true for unauthenticated emergency access, and false for
-        no emergency access.
+        Set to true for unauthenticated emergency access, and false or
+        null for no emergency access.

        Can also be set to a hashed super user password to allow
        authenticated access to the emergency mode.
@ -429,7 +429,12 @@ in {
        # We can use either ! or * to lock the root account in the
        # console, but some software like OpenSSH won't even allow you
        # to log in with an SSH key if you use ! so we use * instead
-        "/etc/shadow".text = "root:${if isBool cfg.emergencyAccess then optionalString (!cfg.emergencyAccess) "*" else cfg.emergencyAccess}:::::::";
+        "/etc/shadow".text = let
+          ea = cfg.emergencyAccess;
+          access = ea != null && !(isBool ea && !ea);
+          passwd = if isString ea then ea else "";
+        in
+          "root:${if access then passwd else "*"}:::::::";

        "/bin".source = "${initrdBinEnv}/bin";
        "/sbin".source = "${initrdBinEnv}/bin";