hetzner-dedicated/zfs: Password for root user

2023-10-13 16:03:09 +02:00 · 2023-10-13 16:03:09 +02:00 · 2878a591a1
parent 70acd87eff
commit 2878a591a1
1 changed files with 3 additions and 7 deletions
--- a/hosters/hetzner-dedicated/zfs-uefi-nvme-nixos.sh
+++ b/hosters/hetzner-dedicated/zfs-uefi-nvme-nixos.sh
@ -20,11 +20,8 @@
 #   inspired by https://nixos.wiki/wiki/Install_NixOS_on_Hetzner_Online
 # * This server has 2 SSDs.
 #   We put everything on mirror (RAID1 equivalent).
-# * A root user with empty password is created, so that you can just login
-#   as root and press enter when using the Hetzner spider KVM.
-#   Of course that empty-password login isn't exposed to the Internet.
-#   Change the password afterwards to avoid anyone with physical access
-#   being able to login without any authentication.
+# * A root user with a password is created, so that you can just login
+#   as root when using the Hetzner spider KVM.
 # * The script reboots at the end.
 # * exports of env vars are added throughout the script in case you want to run it manually
 export LC_ALL=C
@ -400,8 +397,7 @@ cat > /mnt/etc/nixos/configuration.nix <<EOF
    "2001:4860:4860::8844"
  ];

-  # Initial empty root password for easy login:
-  users.users.root.initialHashedPassword = "";
+  users.users.root.initialHashedPassword = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32";
  services.openssh.permitRootLogin = "prohibit-password";

  users.users.root.openssh.authorizedKeys.keys = ["$SSH_PUB_KEY"];