From be841cdec2466f1621aa983a2fbd357682c4f85e Mon Sep 17 00:00:00 2001 From: Qubasa Date: Sun, 12 May 2024 12:39:19 +0200 Subject: [PATCH] Removed ssh password login --- nixosModules/installer/default.nix | 15 ++++----------- pkgs/clan-cli/clan_cli/flash.py | 4 ++++ pkgs/installer/flake-module.nix | 13 ++++--------- 3 files changed, 12 insertions(+), 20 deletions(-) diff --git a/nixosModules/installer/default.nix b/nixosModules/installer/default.nix index 328d32423..21f48851e 100644 --- a/nixosModules/installer/default.nix +++ b/nixosModules/installer/default.nix @@ -25,8 +25,7 @@ let qrcode=$(gum style --border-foreground 240 --border normal "$(< /var/shared/qrcode.utf8)") msgs+=("$qrcode") fi - network_status="Root password: $(cat /var/shared/root-password) - Local network addresses: + network_status="Local network addresses: $(ip -brief -color addr | grep -v 127.0.0.1) $([[ -e /var/shared/onion-hostname ]] && echo "Onion address: $(cat /var/shared/onion-hostname)" || echo "Onion address: Waiting for tor network to be ready...") Multicast DNS: $(hostname).local" @@ -56,13 +55,8 @@ in # https://github.com/nix-community/nixos-images/blob/main/nix/image-installer/module.nix#L46C3-L117C6 # # # ######################################################################################################## - systemd.tmpfiles.rules = [ "d /var/shared 0777 root root - -" ]; - services.openssh.settings.PermitRootLogin = "yes"; - system.activationScripts.root-password = '' - mkdir -p /var/shared - ${pkgs.xkcdpass}/bin/xkcdpass --numwords 3 --delimiter - --count 1 > /var/shared/root-password - echo "root:$(cat /var/shared/root-password)" | chpasswd - ''; + services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password"; + hidden-ssh-announce = { enable = true; script = pkgs.writeShellScript "write-hostname" '' @@ -83,10 +77,9 @@ in echo "$1" > /var/shared/onion-hostname local_addrs=$(ip -json addr | jq '[map(.addr_info) | flatten | .[] | select(.scope == "global") | .local]') jq -nc \ - --arg password "$(cat /var/shared/root-password)" \ --arg onion_address "$(cat /var/shared/onion-hostname)" \ --argjson local_addrs "$local_addrs" \ - '{ pass: $password, tor: $onion_address, addrs: $local_addrs }' \ + '{ pass: null, tor: $onion_address, addrs: $local_addrs }' \ > /var/shared/login.json cat /var/shared/login.json | qrencode -s 2 -m 2 -t utf8 -o /var/shared/qrcode.utf8 ''; diff --git a/pkgs/clan-cli/clan_cli/flash.py b/pkgs/clan-cli/clan_cli/flash.py index 572238118..e841c9d09 100644 --- a/pkgs/clan-cli/clan_cli/flash.py +++ b/pkgs/clan-cli/clan_cli/flash.py @@ -191,6 +191,10 @@ def flash_command(args: argparse.Namespace) -> None: if ask == "y": pubkeys = list_available_ssh_keys() root_keys.extend(read_public_key_contents(pubkeys)) + else: + raise ClanError( + "No SSH public keys provided. Use --ssh-pubkey to add keys." + ) elif not opts.confirm and not root_keys: pubkeys = list_available_ssh_keys() root_keys.extend(read_public_key_contents(pubkeys)) diff --git a/pkgs/installer/flake-module.nix b/pkgs/installer/flake-module.nix index 7f503b1b8..5318919f8 100644 --- a/pkgs/installer/flake-module.nix +++ b/pkgs/installer/flake-module.nix @@ -20,12 +20,7 @@ let }; }; installerModule = - { - config, - pkgs, - modulesPath, - ... - }: + { config, modulesPath, ... }: { imports = [ wifiModule @@ -50,12 +45,12 @@ let }; flashInstallerModule = - { config, pkgs, ... }: + { config, ... }: { imports = [ wifiModule self.nixosModules.installer - self.clanModules.diskLayouts + self.clanModules.disk-layouts ]; system.stateVersion = config.system.nixos.version; nixpkgs.pkgs = self.inputs.nixpkgs.legacyPackages.x86_64-linux; @@ -79,7 +74,7 @@ in # This will include your ssh public keys in the installer. machines.flash-installer = { imports = [ flashInstallerModule ]; - clan.diskLayouts.singleDiskExt4.device = lib.mkDefault "/dev/null"; + clan.disk-layouts.singleDiskExt4.device = lib.mkDefault "/dev/null"; boot.loader.grub.enable = lib.mkDefault true; }; };