# SPDX-FileCopyrightText: no # SPDX-License-Identifier: CC0-1.0 # # Configuration for the one-user-system user module. # # Besides these settings, the users module also places the following # keys into the Global Storage area, based on user input in the view step. # # - hostname # - username # - password (obscured) # - autologinUser (if enabled, set to username) # # These Global Storage keys are set when the configuration for this module # is read and when they are modified in the UI. --- ### GROUPS CONFIGURATION # # The system has groups of uses. Some special groups must be # created during installation. Optionally, there are special # groups for users who can use sudo and for supporting autologin. # Used as default groups for the created user. # Adjust to your Distribution defaults. # # Each entry in the *defaultGroups* list is either: # - a string, naming a group; this is a **non**-system group # which does not need to exist in the target system; if it # does not exist, it will be created. # - an entry with subkeys *name*, *must_exist* and *system*; # if the group *must_exist* and does not, an error is thrown # and the installation fails. # # The group is created if it does not exist, and it is # created as a system group (GID < 1000) or user group # (GID >= 1000) depending on the value of *system*. defaultGroups: - name: users must_exist: true system: true - lp - power - video - network - storage - name: wheel must_exist: false system: true - audio - sys - optical - scanner - rfkill # When *sudoersGroup* is set to a non-empty string, Calamares creates a # sudoers file for the user. This file is located at: # `/etc/sudoers.d/10-installer` # Remember to add the (value of) *sudoersGroup* to *defaultGroups*. # # If your Distribution already sets up a group of sudoers in its packaging, # remove this setting (delete or comment out the line below). Otherwise, # the setting will be duplicated in the `/etc/sudoers.d/10-installer` file, # potentially confusing users. sudoersGroup: wheel # Some Distributions require a 'autologin' group for the user. # Autologin causes a user to become automatically logged in to # the desktop environment on boot. # Disable when your Distribution does not require such a group. autologinGroup: autologin ### ROOT AND SUDO # # Some distributions have a root user enabled for login. Others # rely entirely on sudo or similar mechanisms to raise privileges. # If set to `false` (the default), writes a sudoers file with `ALL=(ALL)` # so that commands can be run as any user. If set to `true`, writes # `ALL=(ALL:ALL)` so that any user and any group can be chosen. sudoersConfigureWithGroup: true # Setting this to false, causes the root account to be disabled. # When disabled, hides the "Use the same password for administrator" # checkbox. Also hides the "Choose a password" and associated text-inputs. setRootPassword: true # You can control the initial state for the 'reuse password for root' # checkbox here. Possible values are: # - true to check or # - false to uncheck # # When checked, the user password is used for the root account too. # # NOTE: *doReusePassword* requires *setRootPassword* to be enabled. doReusePassword: false ### PASSWORDS AND LOGIN # # Autologin is convenient for single-user systems, but depends on # the location of the machine if it is practical. "Password strength" # measures measures might improve security by enforcing hard-to-guess # passwords, or might encourage a post-it-under-the-keyboard approach. # Distributions are free to steer their users to one kind of password # or another. Weak(er) passwords may be allowed, may cause a warning, # or may be forbidden entirely. # You can control the initial state for the 'autologin checkbox' here. # Possible values are: # - true to check or # - false to uncheck # These set the **initial** state of the checkbox. doAutologin: true # These are optional password-requirements that a distro can enforce # on the user. The values given in this sample file set only very weak # validation settings. # # Calamares itself supports two checks: # - minLength # - maxLength # In this sample file, the values are set to -1 which means "no # minimum", "no maximum". This allows any password at all. # No effort is done to ensure that the checks are consistent # (e.g. specifying a maximum length less than the minimum length # will annoy users). # # Calamares supports password checking through libpwquality. # The libpwquality check relies on the (optional) libpwquality library. # The value for libpwquality is a list of configuration statements like # those found in pwquality.conf. The statements are handed off to the # libpwquality parser for evaluation. The check is ignored if # libpwquality is not available at build time (generates a warning in # the log). The Calamares password check rejects passwords with a # score of < 40 with the given libpwquality settings. # # (additional checks may be implemented in CheckPWQuality.cpp and # wired into UsersPage.cpp) # # To disable all password validations: # - comment out the relevant 'passwordRequirements' keys below, # or set minLength and maxLength to -1. # - disable libpwquality at build-time. # To allow all passwords, but provide warnings: # - set both 'allowWeakPasswords' and 'allowWeakPasswordsDefault' to true. # (That will show the box *Allow weak passwords* in the user- # interface, and check it by default). # - configure password-checking however you wish. # To require specific password characteristics: # - set 'allowWeakPasswords' to false (the default) # - configure password-checking, e.g. with NIST settings # These are very weak -- actually, none at all -- requirements passwordRequirements: minLength: -1 # Password at least this many characters maxLength: -1 # Password at most this many characters libpwquality: - minlen=0 - minclass=0 # These are "you must have a password, any password" -- requirements # # passwordRequirements: # minLength: 1 # These are requirements the try to follow the suggestions from # https://pages.nist.gov/800-63-3/sp800-63b.html , "Digital Identity Guidelines". # Note that requiring long and complex passwords has its own cost, # because the user has to come up with one at install time. # Setting 'allowWeakPasswords' to false and 'doAutologin' to false # will require a strong password and prevent (graphical) login # without the password. It is likely to be annoying for casual users. # # passwordRequirements: # minLength: 8 # maxLength: 64 # libpwquality: # - minlen=8 # - maxrepeat=3 # - maxsequence=3 # - usersubstr=4 # - badwords=linux # You can control the visibility of the 'strong passwords' checkbox here. # Possible values are: # - true to show or # - false to hide (default) # the checkbox. This checkbox allows the user to choose to disable # password-strength-checks. By default the box is **hidden**, so # that you have to pick a password that satisfies the checks. allowWeakPasswords: false # You can control the initial state for the 'strong passwords' checkbox here. # Possible values are: # - true to uncheck or # - false to check (default) # the checkbox by default. Since the box is labeled to enforce strong # passwords, in order to **allow** weak ones by default, the box needs # to be unchecked. allowWeakPasswordsDefault: false # User settings # # The user can enter a username, but there are some other # hidden settings for the user which are configurable in Calamares. # # Key *user* has the following sub-keys: # # - *shell* Shell to be used for the regular user of the target system. # There are three possible kinds of settings: # - unset (i.e. commented out, the default), act as if set to /bin/bash # - empty (explicit), don't pass shell information to useradd at all # and rely on a correct configuration file in /etc/default/useradd # - set, non-empty, use that path as shell. No validation is done # that the shell actually exists or is executable. # - *forbidden_names* Login names that may not be used. This list always # contains "root" and "nobody", but may be extended to list other special # names for a given distro (eg. "video", or "mysql" might not be a valid # end-user login name). user: shell: /bin/bash forbidden_names: [ root ] # Hostname settings # # The user can enter a hostname; this is configured into the system # in some way. There are settings for how a hostname is guessed (as # a default / suggestion) and where (or how) the hostname is set in # the target system. # # Key *hostname* has the following sub-keys: # # - *location* How the hostname is set in the target system: # - *None*, to not set the hostname at all # - *EtcFile*, to write to `/etc/hostname` directly # - *Etc*, identical to above # - *Hostnamed*, to use systemd hostnamed(1) over DBus # - *Transient*, to remove `/etc/hostname` from the target # The default is *EtcFile*. Setting this to *None* or *Transient* will # hide the hostname field. # - *writeHostsFile* Should /etc/hosts be written with a hostname for # this machine (also adds localhost and some ipv6 standard entries). # Defaults to *true*. # - *template* Is a simple template for making a suggestion for the # hostname, based on user data. The default is "${first}-${product}". # This is used only if the hostname field is shown. KMacroExpander is # used; write `${key}` where `key` is one of the following: # - *first* User's first name (whatever is first in the User Name field, # which is first-in-order but not necessarily a "first name" as in # "given name" or "name by which you call someone"; beware of western bias) # - *name* All the text in the User Name field. # - *login* The login name (which may be suggested based on User Name) # - *product* The hardware product, based on DMI data # - *product2* The product as described by Qt # - *cpu* CPU name # - *host* Current hostname (which may be a transient hostname) # Literal text in the template is preserved. Calamares tries to map # `${key}` values to something that will fit in a hostname, but does not # apply the same to literal text in the template. Do not use invalid # characters in the literal text, or no suggeston will be done. # - *forbidden_names* lists hostnames that may not be used. This list # always contains "localhost", but may list others that are unsuitable # or broken in special ways. hostname: location: EtcFile writeHostsFile: true template: "snigdhaos-${cpu}" forbidden_names: [ localhost ] presets: fullName: # value: "OEM User" editable: true loginName: # value: "oem" editable: true avatarFilePath: ~/.face