Merge pull request #286310 from rnhmjoj/pr-getty-autologin

nixos/getty: add option to autologin once per boot
NixOS · Apr 11, 2024 · 4a42c79 · 4a42c79
2 parents ababd9c + 3577aef
commit 4a42c79
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 4 deletions.
diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md
@@ -498,6 +498,9 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
   existing process, but will need to start that process from gdb (so it is a
   child). Or you can set `boot.kernel.sysctl."kernel.yama.ptrace_scope"` to 0.
 
+- The new option `services.getty.autologinOnce` was added to limit the automatic login to once per boot and on the first tty only.
+  When using full disk encryption, this option allows to unlock the system without retyping the passphrase while keeping the other ttys protected.
+
 - The netbird module now allows running multiple tunnels in parallel through [`services.netbird.tunnels`](#opt-services.netbird.tunnels).
 
 - [Nginx virtual hosts](#opt-services.nginx.virtualHosts) using `forceSSL` or

diff --git a/nixos/modules/services/ttys/getty.nix b/nixos/modules/services/ttys/getty.nix
@@ -7,14 +7,26 @@ let
 
   baseArgs = [
     "--login-program" "${cfg.loginProgram}"
-  ] ++ optionals (cfg.autologinUser != null) [
+  ] ++ optionals (cfg.autologinUser != null && !cfg.autologinOnce) [
     "--autologin" cfg.autologinUser
   ] ++ optionals (cfg.loginOptions != null) [
     "--login-options" cfg.loginOptions
   ] ++ cfg.extraArgs;
 
   gettyCmd = args:
-    "@${pkgs.util-linux}/sbin/agetty agetty ${escapeShellArgs baseArgs} ${args}";
+    "${pkgs.util-linux}/sbin/agetty ${escapeShellArgs baseArgs} ${args}";
+
+  autologinScript = ''
+    otherArgs="--noclear --keep-baud $TTY 115200,38400,9600 $TERM";
+    ${lib.optionalString cfg.autologinOnce ''
+      autologged="/run/agetty.autologged"
+      if test "$TTY" = tty1 && ! test -f "$autologged"; then
+        touch "$autologged"
+        exec ${gettyCmd "$otherArgs --autologin ${cfg.autologinUser}"}
+      fi
+    ''}
+    exec ${gettyCmd "$otherArgs"}
+  '';
 
 in
 
@@ -40,6 +52,16 @@ in
         '';
       };
 
+      autologinOnce = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          If enabled the automatic login will only happen in the first tty
+          once per boot. This can be useful to avoid retyping the account
+          password on systems with full disk encrypted.
+        '';
+      };
+
       loginProgram = mkOption {
         type = types.path;
         default = "${pkgs.shadow}/bin/login";
@@ -106,9 +128,11 @@ in
 
     systemd.services."getty@" =
       { serviceConfig.ExecStart = [
-          "" # override upstream default with an empty ExecStart
-          (gettyCmd "--noclear --keep-baud %I 115200,38400,9600 $TERM")
+          # override upstream default with an empty ExecStart
+          ""
+          (pkgs.writers.writeDash "getty" autologinScript)
         ];
+        environment.TTY = "%I";
         restartIfChanged = false;
       };