diff --git a/calamares/modules/users.conf b/calamares/modules/users.conf index a7ef70a..8c590e6 100644 --- a/calamares/modules/users.conf +++ b/calamares/modules/users.conf @@ -1,3 +1,39 @@ +# SPDX-FileCopyrightText: no +# SPDX-License-Identifier: CC0-1.0 +# +# Configuration for the one-user-system user module. +# +# Besides these settings, the users module also places the following +# keys into the Global Storage area, based on user input in the view step. +# +# - hostname +# - username +# - password (obscured) +# - autologinUser (if enabled, set to username) +# +# These Global Storage keys are set when the configuration for this module +# is read and when they are modified in the UI. +--- +### GROUPS CONFIGURATION +# +# The system has groups of uses. Some special groups must be +# created during installation. Optionally, there are special +# groups for users who can use sudo and for supporting autologin. + +# Used as default groups for the created user. +# Adjust to your Distribution defaults. +# +# Each entry in the *defaultGroups* list is either: +# - a string, naming a group; this is a **non**-system group +# which does not need to exist in the target system; if it +# does not exist, it will be created. +# - an entry with subkeys *name*, *must_exist* and *system*; +# if the group *must_exist* and does not, an error is thrown +# and the installation fails. +# +# The group is created if it does not exist, and it is +# created as a system group (GID < 1000) or user group +# (GID >= 1000) depending on the value of *system*. defaultGroups: - name: users must_exist: true @@ -16,22 +52,230 @@ defaultGroups: - scanner - rfkill -autologinGroup: autologin - -doAutologin: false - +# When *sudoersGroup* is set to a non-empty string, Calamares creates a +# sudoers file for the user. This file is located at: +# `/etc/sudoers.d/10-installer` +# Remember to add the (value of) *sudoersGroup* to *defaultGroups*. +# +# If your Distribution already sets up a group of sudoers in its packaging, +# remove this setting (delete or comment out the line below). Otherwise, +# the setting will be duplicated in the `/etc/sudoers.d/10-installer` file, +# potentially confusing users. sudoersGroup: wheel +# Some Distributions require a 'autologin' group for the user. +# Autologin causes a user to become automatically logged in to +# the desktop environment on boot. +# Disable when your Distribution does not require such a group. +autologinGroup: autologin + + +### ROOT AND SUDO +# +# Some distributions have a root user enabled for login. Others +# rely entirely on sudo or similar mechanisms to raise privileges. + +# If set to `false` (the default), writes a sudoers file with `ALL=(ALL)` +# so that commands can be run as any user. If set to `true`, writes +# `ALL=(ALL:ALL)` so that any user and any group can be chosen. sudoersConfigureWithGroup: true +# Setting this to false, causes the root account to be disabled. +# When disabled, hides the "Use the same password for administrator" +# checkbox. Also hides the "Choose a password" and associated text-inputs. setRootPassword: true +# You can control the initial state for the 'reuse password for root' +# checkbox here. Possible values are: +# - true to check or +# - false to uncheck +# +# When checked, the user password is used for the root account too. +# +# NOTE: *doReusePassword* requires *setRootPassword* to be enabled. doReusePassword: false -userShell: /bin/bash -avatarFilePath: ~/.face +### PASSWORDS AND LOGIN +# +# Autologin is convenient for single-user systems, but depends on +# the location of the machine if it is practical. "Password strength" +# measures measures might improve security by enforcing hard-to-guess +# passwords, or might encourage a post-it-under-the-keyboard approach. +# Distributions are free to steer their users to one kind of password +# or another. Weak(er) passwords may be allowed, may cause a warning, +# or may be forbidden entirely. +# You can control the initial state for the 'autologin checkbox' here. +# Possible values are: +# - true to check or +# - false to uncheck +# These set the **initial** state of the checkbox. +doAutologin: true + +# These are optional password-requirements that a distro can enforce +# on the user. The values given in this sample file set only very weak +# validation settings. +# +# Calamares itself supports two checks: +# - minLength +# - maxLength +# In this sample file, the values are set to -1 which means "no +# minimum", "no maximum". This allows any password at all. +# No effort is done to ensure that the checks are consistent +# (e.g. specifying a maximum length less than the minimum length +# will annoy users). +# +# Calamares supports password checking through libpwquality. +# The libpwquality check relies on the (optional) libpwquality library. +# The value for libpwquality is a list of configuration statements like +# those found in pwquality.conf. The statements are handed off to the +# libpwquality parser for evaluation. The check is ignored if +# libpwquality is not available at build time (generates a warning in +# the log). The Calamares password check rejects passwords with a +# score of < 40 with the given libpwquality settings. +# +# (additional checks may be implemented in CheckPWQuality.cpp and +# wired into UsersPage.cpp) +# +# To disable all password validations: +# - comment out the relevant 'passwordRequirements' keys below, +# or set minLength and maxLength to -1. +# - disable libpwquality at build-time. +# To allow all passwords, but provide warnings: +# - set both 'allowWeakPasswords' and 'allowWeakPasswordsDefault' to true. +# (That will show the box *Allow weak passwords* in the user- +# interface, and check it by default). +# - configure password-checking however you wish. +# To require specific password characteristics: +# - set 'allowWeakPasswords' to false (the default) +# - configure password-checking, e.g. with NIST settings + + +# These are very weak -- actually, none at all -- requirements +passwordRequirements: + minLength: -1 # Password at least this many characters + maxLength: -1 # Password at most this many characters + libpwquality: + - minlen=0 + - minclass=0 + +# These are "you must have a password, any password" -- requirements +# +# passwordRequirements: +# minLength: 1 + +# These are requirements the try to follow the suggestions from +# https://pages.nist.gov/800-63-3/sp800-63b.html , "Digital Identity Guidelines". +# Note that requiring long and complex passwords has its own cost, +# because the user has to come up with one at install time. +# Setting 'allowWeakPasswords' to false and 'doAutologin' to false +# will require a strong password and prevent (graphical) login +# without the password. It is likely to be annoying for casual users. +# +# passwordRequirements: +# minLength: 8 +# maxLength: 64 +# libpwquality: +# - minlen=8 +# - maxrepeat=3 +# - maxsequence=3 +# - usersubstr=4 +# - badwords=linux + +# You can control the visibility of the 'strong passwords' checkbox here. +# Possible values are: +# - true to show or +# - false to hide (default) +# the checkbox. This checkbox allows the user to choose to disable +# password-strength-checks. By default the box is **hidden**, so +# that you have to pick a password that satisfies the checks. +allowWeakPasswords: false +# You can control the initial state for the 'strong passwords' checkbox here. +# Possible values are: +# - true to uncheck or +# - false to check (default) +# the checkbox by default. Since the box is labeled to enforce strong +# passwords, in order to **allow** weak ones by default, the box needs +# to be unchecked. +allowWeakPasswordsDefault: false + + +# User settings +# +# The user can enter a username, but there are some other +# hidden settings for the user which are configurable in Calamares. +# +# Key *user* has the following sub-keys: +# +# - *shell* Shell to be used for the regular user of the target system. +# There are three possible kinds of settings: +# - unset (i.e. commented out, the default), act as if set to /bin/bash +# - empty (explicit), don't pass shell information to useradd at all +# and rely on a correct configuration file in /etc/default/useradd +# - set, non-empty, use that path as shell. No validation is done +# that the shell actually exists or is executable. +# - *forbidden_names* Login names that may not be used. This list always +# contains "root" and "nobody", but may be extended to list other special +# names for a given distro (eg. "video", or "mysql" might not be a valid +# end-user login name). +user: + shell: /bin/bash + forbidden_names: [ root ] + + +# Hostname settings +# +# The user can enter a hostname; this is configured into the system +# in some way. There are settings for how a hostname is guessed (as +# a default / suggestion) and where (or how) the hostname is set in +# the target system. +# +# Key *hostname* has the following sub-keys: +# +# - *location* How the hostname is set in the target system: +# - *None*, to not set the hostname at all +# - *EtcFile*, to write to `/etc/hostname` directly +# - *Etc*, identical to above +# - *Hostnamed*, to use systemd hostnamed(1) over DBus +# - *Transient*, to remove `/etc/hostname` from the target +# The default is *EtcFile*. Setting this to *None* or *Transient* will +# hide the hostname field. +# - *writeHostsFile* Should /etc/hosts be written with a hostname for +# this machine (also adds localhost and some ipv6 standard entries). +# Defaults to *true*. +# - *template* Is a simple template for making a suggestion for the +# hostname, based on user data. The default is "${first}-${product}". +# This is used only if the hostname field is shown. KMacroExpander is +# used; write `${key}` where `key` is one of the following: +# - *first* User's first name (whatever is first in the User Name field, +# which is first-in-order but not necessarily a "first name" as in +# "given name" or "name by which you call someone"; beware of western bias) +# - *name* All the text in the User Name field. +# - *login* The login name (which may be suggested based on User Name) +# - *product* The hardware product, based on DMI data +# - *product2* The product as described by Qt +# - *cpu* CPU name +# - *host* Current hostname (which may be a transient hostname) +# Literal text in the template is preserved. Calamares tries to map +# `${key}` values to something that will fit in a hostname, but does not +# apply the same to literal text in the template. Do not use invalid +# characters in the literal text, or no suggeston will be done. +# - *forbidden_names* lists hostnames that may not be used. This list +# always contains "localhost", but may list others that are unsuitable +# or broken in special ways. hostname: location: EtcFile writeHostsFile: true + template: "snigdhaos-${cpu}" + forbidden_names: [ localhost ] + +presets: + fullName: + # value: "OEM User" + editable: true + loginName: + # value: "oem" + editable: true + +avatarFilePath: ~/.face \ No newline at end of file