feat: improve emergency access

2025-12-06 00:57:22 +01:00 · 2025-07-22 21:27:13 +02:00 · 2025-07-22 21:27:13 +02:00 · 06ec1df09a
commit 06ec1df09a
parent a921818915
12 changed files with 142 additions and 49 deletions
--- a/modules/nixos/common/boot.nix
+++ b/modules/nixos/common/boot.nix
@ -0,0 +1,25 @@
+{ lib, pkgs, config, globals, ... }:
+{
+  options.swarselmodules.boot = lib.mkEnableOption "boot config";
+  config = lib.mkIf config.swarselmodules.boot {
+    boot = {
+      initrd.systemd = {
+        enable = true;
+        emergencyAccess = globals.root.hashedPassword;
+        users.root.shell = "${pkgs.bashInteractive}/bin/bash";
+        storePaths = [ "${pkgs.bashInteractive}/bin/bash" ];
+        extraBin = {
+          ip = "${pkgs.iproute2}/bin/ip";
+          ping = "${pkgs.iputils}/bin/ping";
+          cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup";
+        };
+      };
+      kernelParams = [ "log_buf_len=16M" ];
+      tmp.useTmpfs = true;
+      loader.timeout = lib.mkDefault 2;
+    };
+
+    console.earlySetup = true;
+
+  };
+}
--- a/modules/nixos/common/globals.nix
+++ b/modules/nixos/common/globals.nix
@ -11,6 +11,12 @@ in
      default = { };
      type = types.submodule {
        options = {
+          root = {
+            hashedPassword = mkOption {
+              type = types.str;
+            };
+          };
+
          user = {
            name = mkOption {
              type = types.str;
--- a/modules/nixos/common/users.nix
+++ b/modules/nixos/common/users.nix
@ -1,4 +1,4 @@
-{ self, pkgs, config, lib, minimal, ... }:
+{ self, pkgs, config, lib, globals, minimal, ... }:
 let
  sopsFile = self + /secrets/general/secrets.yaml;
 in
@ -9,13 +9,19 @@ in

    users = {
      mutableUsers = lib.mkIf (!minimal) false;
-      users."${config.swarselsystems.mainUser}" = {
-        isNormalUser = true;
-        description = "Leon S";
-        password = lib.mkIf (minimal || config.swarselsystems.isPublic) "setup";
-        hashedPasswordFile = lib.mkIf (!minimal && !config.swarselsystems.isPublic) config.sops.secrets.main-user-hashed-pw.path;
-        extraGroups = [ "wheel" ] ++ lib.optionals (!minimal) [ "networkmanager" "syncthing" "docker" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
-        packages = with pkgs; [ ];
+      users = {
+        root = {
+          inherit (globals.root) hashedPassword;
+          shell = pkgs.zsh;
+        };
+        "${config.swarselsystems.mainUser}" = {
+          isNormalUser = true;
+          description = "Leon S";
+          password = lib.mkIf (minimal || config.swarselsystems.isPublic) "setup";
+          hashedPasswordFile = lib.mkIf (!minimal && !config.swarselsystems.isPublic) config.sops.secrets.main-user-hashed-pw.path;
+          extraGroups = [ "wheel" ] ++ lib.optionals (!minimal) [ "networkmanager" "syncthing" "docker" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
+          packages = with pkgs; [ ];
+        };
      };
    };
  };