Hello, I could have sworn I read the answer to this somewhere in the NixOS manual or other online resource, but forgot the details and can’t find it now.
What are the canonical configuration.nix settings to disable logging into the root user account? I want to script a system where sudo is the only way to run commands as root.
Thanks!
You can do users.users.root.hashedPassword = "!";. We should probably document this more clearly somewhere. The trick here is that nothing can possibly hash to just “!”, so it effectively disables password auth for the root user.
Thanks! Does this also require mutableUsers = false?
I’m getting boot failures with the following error if I set it up like that: Cannot open access to console, the root account is locked.
What version of nixos are you on?
When I install NixOS from scratch, users.users.root.hashedPassword = "!" doesn’t do anything. The installer still prompts for root password, and I can still log in as root w/ said password.
Any way to prevent the installer from prompting for password?
$ nixos-version
21.05.1790.382039c05a1 (Okapi)
nixos-install --no-root-passwd, check nixos-install --help for some other useful flags 
For reference, the suggested setting here fails to work because you have users.mutableUsers enabled, see here.
And in case you run into boot issues as @jluttine did, this is usually because of mount misconfiguration and systemd refusing to boot with a certain drive not mounted. This will put you into rescue mode, which can only be entered as root - see use non root account for rescue.service and emergency.service · Issue #11596 · systemd/systemd · GitHub. I believe that there is a) a way to disable that behavior in nixos and b) a way to drop into a user shell with that, and there are posts on this discourse describing how to do both, but I’ve forgotten how and can’t find the threads at least disabling is done with this setting: systemd.enableEmergencyMode.
In short, make sure filesystems..neededForBoot is set correctly if you don’t have a root password and you’ll be fine.