ragusa-it/nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden NixOS config defaults and setup guidance #4

Merged
Copilot merged 13 commits from copilot/review-nixos-setup-issues into main 2026-02-01 21:17:59 +00:00
Conversation 2 Commits 13 Files Changed 5 +8 -8
3 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 78fb822374 - Show all commits

10
README.md
View File

@@ -136,12 +136,12 @@ sudo nixos-rebuild boot --profile-name gaming --flake .#gaming
### Change Password
Generate a password hash and save it to `/etc/nixos/secrets/<username>/password.hash` (required before applying the config):
Generate a password hash and save it to `/etc/nixos/secrets/<username>/password.hash` (replace `<username>` with your actual username):
```bash
sudo mkdir -p /etc/nixos/secrets/<username>
sudo chmod 700 /etc/nixos/secrets/<username>
mkpasswd -m sha-512 | sudo tee /etc/nixos/secrets/<username>/password.hash
sudo chmod 600 /etc/nixos/secrets/<username>/password.hash
sudo mkdir -p /etc/nixos/secrets/john
sudo chmod 700 /etc/nixos/secrets/john
mkpasswd -m sha-512 | sudo tee /etc/nixos/secrets/john/password.hash
sudo chmod 600 /etc/nixos/secrets/john/password.hash
```
### Setup MangoWC

4
flake.nix
View File

@@ -45,8 +45,8 @@
&& builtins.match "^_+$" username == null
copilot-pull-request-reviewer[bot] commented 2026-02-01 21:21:01 +00:00 (Migrated from github.com)
Review
Copy Link

The username validation regex allows usernames that consist only of underscores followed by other characters (e.g., "___abc"), but the second check builtins.match "^_+$" username == null only rejects usernames that are entirely underscores. According to standard Unix username conventions, usernames starting with underscore are typically reserved for system accounts. Consider strengthening the validation to reject any username starting with underscore unless that's intentionally allowed for system accounts.

      builtins.match "^[a-z][a-z0-9_]*$" username != null
The username validation regex allows usernames that consist only of underscores followed by other characters (e.g., "___abc"), but the second check `builtins.match "^_+$" username == null` only rejects usernames that are entirely underscores. According to standard Unix username conventions, usernames starting with underscore are typically reserved for system accounts. Consider strengthening the validation to reject any username starting with underscore unless that's intentionally allowed for system accounts. ```suggestion builtins.match "^[a-z][a-z0-9_]*$" username != null ```
&& builtins.match "^nix" username == null
&& username != "root";
hostConfig = ./hosts + "/${hostname}/hardware-configuration.nix";
passwordHashPath = assert usernameValid; "/etc/nixos/secrets/${username}/password.hash";
hostConfig = (./hosts + "/${hostname}") + "/hardware-configuration.nix";
passwordHashPath = "/etc/nixos/secrets/${username}/password.hash";
specialArgs = { inherit inputs system hostname username usernameValid passwordHashPath; };
copilot-pull-request-reviewer[bot] commented 2026-02-01 21:21:01 +00:00 (Migrated from github.com)
Review
Copy Link

The assertion for hostConfig will fail at evaluation time with a cryptic error if the path doesn't exist. The assert statement should provide a helpful error message to guide users. Consider using a let-binding with an abort statement that provides a clear message like: "Hardware configuration not found at ./hosts/${hostname}/hardware-configuration.nix. Please ensure the directory exists and contains the hardware configuration file."

    hostConfig =
      let
        hardwarePath = ./hosts + "/${hostname}/hardware-configuration.nix";
      in
      if builtins.pathExists hardwarePath then
        hardwarePath
      else
        builtins.abort "Hardware configuration not found at ./hosts/${hostname}/hardware-configuration.nix. Please ensure the directory exists and contains the hardware configuration file.";
The assertion for `hostConfig` will fail at evaluation time with a cryptic error if the path doesn't exist. The assert statement should provide a helpful error message to guide users. Consider using a let-binding with an abort statement that provides a clear message like: "Hardware configuration not found at ./hosts/${hostname}/hardware-configuration.nix. Please ensure the directory exists and contains the hardware configuration file." ```suggestion hostConfig = let hardwarePath = ./hosts + "/${hostname}/hardware-configuration.nix"; in if builtins.pathExists hardwarePath then hardwarePath else builtins.abort "Hardware configuration not found at ./hosts/${hostname}/hardware-configuration.nix. Please ensure the directory exists and contains the hardware configuration file."; ```
copilot-pull-request-reviewer[bot] commented 2026-02-01 21:21:01 +00:00 (Migrated from github.com)
Review
Copy Link

The passwordHashPath is hardcoded to a system location that may not exist on first installation, but there's no validation or assertion to check if this file exists. This will cause the system build to fail with an unclear error. Consider adding an assertion in common.nix to check if the password hash file exists, with a helpful error message directing users to the password setup instructions in the README. Alternatively, document that users must create this file before their first build.

    passwordHashPath =
      let
        path = "/etc/nixos/secrets/${username}/password.hash";
      in
      if builtins.pathExists path then
        path
      else
        builtins.throw ''
          Password hash file not found at ${path}.
          
          Please create this file before your first build.
          See the password setup instructions in the project README.
        '';
The `passwordHashPath` is hardcoded to a system location that may not exist on first installation, but there's no validation or assertion to check if this file exists. This will cause the system build to fail with an unclear error. Consider adding an assertion in `common.nix` to check if the password hash file exists, with a helpful error message directing users to the password setup instructions in the README. Alternatively, document that users must create this file before their first build. ```suggestion passwordHashPath = let path = "/etc/nixos/secrets/${username}/password.hash"; in if builtins.pathExists path then path else builtins.throw '' Password hash file not found at ${path}. Please create this file before your first build. See the password setup instructions in the project README. ''; ```
# Verify mango flake exports the expected module

2
modules/common.nix
View File

@@ -4,7 +4,7 @@
assertions = [
{
assertion = usernameValid;
message = "username must be a simple system user name and not reserved.";
message = "username must start with a-z or _, contain only lowercase letters, digits, and underscores, and must not be root or start with nix.";
}
];
# --------------------------------------------------------------------------