diff options
| author | worldofpeace <worldofpeace@protonmail.ch> | 2019-08-07 23:34:41 -0400 |
|---|---|---|
| committer | worldofpeace <worldofpeace@protonmail.ch> | 2019-08-12 14:45:27 -0400 |
| commit | 397c7d26fcb001ce5e1e3c53a3366524c4f91bf9 (patch) | |
| tree | 8b9833f37118db3800dd3aa6705f6ded9755e961 /nixos/modules/installer | |
| parent | 1c709e0e6c037961cea0b3206d1f850e2e1ad636 (diff) | |
installer: Don't run as root
There's many reason why it is and is going to
continue to be difficult to do this:
1. All display-managers (excluding slim) default PAM rules
disallow root auto login.
2. We can't use wayland
3. We have to use system-wide pulseaudio
4. It could break applications in the session.
This happened to dolphin in plasma5
in the past.
This is a growing technical debt, let's just use
passwordless sudo.
Diffstat (limited to 'nixos/modules/installer')
| -rw-r--r-- | nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix | 19 | ||||
| -rw-r--r-- | nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix | 17 |
2 files changed, 27 insertions, 9 deletions
diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix index f65239a5bc0..1578e1547bc 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix @@ -8,16 +8,30 @@ with lib; { imports = [ ./installation-cd-base.nix ]; + # Whitelist wheel users to do anything + # This is useful for things like pkexec + # + # WARNING: this is dangerous for systems + # outside the installation-cd and shouldn't + # be used anywhere else. + security.polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + if (subject.isInGroup("wheel")) { + return polkit.Result.YES; + } + }); + ''; + services.xserver = { enable = true; # Don't start the X server by default. autorun = mkForce false; - # Automatically login as root. + # Automatically login as nixos. displayManager.slim = { enable = true; - defaultUser = "root"; + defaultUser = "nixos"; autoLogin = true; }; @@ -33,7 +47,6 @@ with lib; # Enable sound in graphical iso's. hardware.pulseaudio.enable = true; - hardware.pulseaudio.systemWide = true; # Needed since we run plasma as root. environment.systemPackages = [ # Include gparted for partitioning disks. diff --git a/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix b/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix index 1c3c9cb30b4..2536ba73a1d 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix @@ -1,5 +1,5 @@ # This module defines a NixOS installation CD that contains X11 and -# Plasma5. +# Plasma 5. { config, lib, pkgs, ... }: @@ -30,15 +30,20 @@ with lib; Version=1.0 Type=Application Name=NixOS Manual - Exec=firefox ${config.system.build.manual.manualHTMLIndex} + Exec=firefox ${config.system.build.manual.manual}/share/doc/nixos/index.html Icon=text-html ''; + homeDir = "/home/nixos/"; + desktopDir = homeDir + "Desktop/"; + in '' - mkdir -p /root/Desktop - ln -sfT ${manualDesktopFile} /root/Desktop/nixos-manual.desktop - ln -sfT ${pkgs.konsole}/share/applications/org.kde.konsole.desktop /root/Desktop/org.kde.konsole.desktop - ln -sfT ${pkgs.gparted}/share/applications/gparted.desktop /root/Desktop/gparted.desktop + mkdir -p ${desktopDir} + chown nixos ${homeDir} ${desktopDir} + + ln -sfT ${manualDesktopFile} ${desktopDir + "nixos-manual.desktop"} + ln -sfT ${pkgs.gparted}/share/applications/gparted.desktop ${desktopDir + "gparted.desktop"} + ln -sfT ${pkgs.konsole}/share/applications/org.kde.konsole.desktop ${desktopDir + "org.kde.konsole.desktop"} ''; } |