nixos/users:added users.allowLoginless option

nixos/modules/config/users-groups.nix

@@ -441,6 +441,15 @@ in {
       '';
     };
 
+    users.allowLoginless = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to allow being locked out of your system by not allowing
+        login to any administrator user.
+      '';
+    };
+
     users.users = mkOption {
       default = {};
       type = with types; loaOf (submodule userOpts);
@@ -473,14 +482,6 @@ in {
       '';
     };
 
-    # FIXME: obsolete - will remove.
-    security.initialRootPassword = mkOption {
-      type = types.str;
-      default = "!";
-      example = "";
-      visible = false;
-    };
-
   };
 
 
@@ -495,7 +496,7 @@ in {
         home = "/root";
         shell = mkDefault cfg.defaultUserShell;
         group = "root";
-        initialHashedPassword = mkDefault config.security.initialRootPassword;
+        initialHashedPassword = mkDefault "!";
       };
       nobody = {
         uid = ids.uids.nobody;
@@ -578,7 +579,7 @@ in {
         # there is at least one "privileged" account that has a
         # password or an SSH authorized key. Privileged accounts are
         # root and users in the wheel group.
-        assertion = !cfg.mutableUsers ->
+        assertion = (!cfg.mutableUsers && cfg.allowLoginless)->
           any id (mapAttrsToList (name: cfg:
             (name == "root"
              || cfg.group == "wheel"
@@ -592,7 +593,9 @@ in {
           ) cfg.users);
         message = ''
           Neither the root account nor any wheel user has a password or SSH authorized key.
-          You must set one to prevent being locked out of your system.'';
+          You must set one to prevent being locked out of your system.
+          Otherwise set users.allowLoginless = true to allow being locked out of your system.
+          '';
       }
     ];
 

nixos/modules/rename.nix

@@ -72,6 +72,7 @@ with lib;
     (mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead")
 
     (mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ])
+    (mkRenamedOptionModule ["security" "initialRootPassword"] ["users" "users" "root" "initialHashedPassword"])
 
     # PAM
     (mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ])

pkgs/tools/package-management/home-manager/default.nix

@@ -6,13 +6,13 @@
 stdenv.mkDerivation rec {
 
   pname = "home-manager";
-  version = "2019-10-23";
+  version = "2019-10-29";
 
   src = fetchFromGitHub {
     owner = "rycee";
     repo = "home-manager";
-    rev = "1b987952b5f7d18f0bb66317cf18ffda43ad45aa";
-    sha256 = "1jdmxdnyd6jaiqjjkzw3qr0ia4qvmwmgfn05hbph37v03p55ah5q";
+    rev = "149c0593abac5879631f63e55ef5b68277020b66";
+    sha256 = "1a39mj238mxd5b6zglmsb1iclqpzs7av38g6gc1dfjxhnb731rvc";
   };
 
   nativeBuildInputs = [ makeWrapper ];