ragusa-it/nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden NixOS config defaults and setup guidance #4

Merged
Copilot merged 13 commits from copilot/review-nixos-setup-issues into main 2026-02-01 21:17:59 +00:00
Conversation 2 Commits 13 Files Changed 5 +5 -5
2 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 359c6fc719 - Show all commits

8
README.md
View File

@@ -138,10 +138,10 @@ sudo nixos-rebuild boot --profile-name gaming --flake .#gaming
Generate a password hash and save it to `/etc/nixos/secrets/<username>/password.hash` (replace `<username>` with your actual username): Generate a password hash and save it to `/etc/nixos/secrets/<username>/password.hash` (replace `<username>` with your actual username):
```bash ```bash
sudo mkdir -p /etc/nixos/secrets/john sudo mkdir -p /etc/nixos/secrets/<username>
sudo chmod 700 /etc/nixos/secrets/john sudo chmod 700 /etc/nixos/secrets/<username>
mkpasswd -m sha-512 | sudo tee /etc/nixos/secrets/john/password.hash mkpasswd -m sha-512 | sudo tee /etc/nixos/secrets/<username>/password.hash
sudo chmod 600 /etc/nixos/secrets/john/password.hash sudo chmod 600 /etc/nixos/secrets/<username>/password.hash
``` ```
### Setup MangoWC ### Setup MangoWC

2
flake.nix
View File

@@ -43,7 +43,7 @@
usernameValid = usernameValid =
builtins.match "^[a-z_][a-z0-9_]*$" username != null builtins.match "^[a-z_][a-z0-9_]*$" username != null
&& builtins.match "^_+$" username == null && builtins.match "^_+$" username == null
copilot-pull-request-reviewer[bot] commented 2026-02-01 21:21:01 +00:00 (Migrated from github.com)
Review
Copy Link

The username validation regex allows usernames that consist only of underscores followed by other characters (e.g., "___abc"), but the second check builtins.match "^_+$" username == null only rejects usernames that are entirely underscores. According to standard Unix username conventions, usernames starting with underscore are typically reserved for system accounts. Consider strengthening the validation to reject any username starting with underscore unless that's intentionally allowed for system accounts.

      builtins.match "^[a-z][a-z0-9_]*$" username != null
The username validation regex allows usernames that consist only of underscores followed by other characters (e.g., "___abc"), but the second check `builtins.match "^_+$" username == null` only rejects usernames that are entirely underscores. According to standard Unix username conventions, usernames starting with underscore are typically reserved for system accounts. Consider strengthening the validation to reject any username starting with underscore unless that's intentionally allowed for system accounts. ```suggestion builtins.match "^[a-z][a-z0-9_]*$" username != null ```
&& builtins.match "^nix" username == null && builtins.match "^nix.*" username == null
&& username != "root"; && username != "root";
hostConfig = (./hosts + "/${hostname}") + "/hardware-configuration.nix"; hostConfig = (./hosts + "/${hostname}") + "/hardware-configuration.nix";
passwordHashPath = "/etc/nixos/secrets/${username}/password.hash"; passwordHashPath = "/etc/nixos/secrets/${username}/password.hash";