Merge pull request #96991 from Mic92/sshd

nixos/doc/manual/installation/installing.xml

@@ -70,9 +70,13 @@
 
    <para>
     If you would like to continue the installation from a different machine you
-    need to activate the SSH daemon via <command>systemctl start
+    can use activated SSH daemon. You need to copy your ssh key to either
-    sshd</command>. You then must set a password for either <literal>root</literal> or
+    <literal>/home/nixos/.ssh/authorized_keys</literal> or
-    <literal>nixos</literal> with <command>passwd</command> to be able to login.
+    <literal>/root/.ssh/authorized_keys</literal> (Tip: For installers with a
+    modifiable filesystem such as the sd-card installer image a key can be manually
+    placed by mounting the image on a different machine). Alternatively you must set
+    a password for either <literal>root</literal> or <literal>nixos</literal> with
+    <command>passwd</command> to be able to login.
    </para>
   </section>
  </section>

nixos/doc/manual/release-notes/rl-2009.xml

@@ -901,6 +901,10 @@ CREATE ROLE postgres LOGIN SUPERUSER;
      Default algorithm for ZRAM swap was changed to <literal>zstd</literal>.
    </para>
    </listitem>
+   <listitem>
+    The installer now enables sshd by default. This improves installation on headless machines especially ARM single-board-computer.
+    To login through ssh, either a password or an ssh key must be set for the root user or the nixos user.
+   </listitem>
    <listitem>
     <para>
      The scripted networking system now uses <literal>.link</literal> files in

nixos/modules/profiles/installation-device.nix

@@ -51,22 +51,23 @@ with lib;
     services.mingetty.helpLine = ''
       The "nixos" and "root" accounts have empty passwords.
 
-      Type `sudo systemctl start sshd` to start the SSH daemon.
+      An ssh daemon is running. You then must set a password
-      You then must set a password for either "root" or "nixos"
+      for either "root" or "nixos" with `passwd` or add an ssh key
-      with `passwd` to be able to login.
+      to /home/nixos/.ssh/authorized_keys be able to login.
     '' + optionalString config.services.xserver.enable ''
       Type `sudo systemctl start display-manager' to
       start the graphical user interface.
     '';
 
-    # Allow sshd to be started manually through "systemctl start sshd".
+    # We run sshd by default. Login via root is only possible after adding a
+    # password via "passwd" or by adding a ssh key to /home/nixos/.ssh/authorized_keys.
+    # The latter one is particular useful if keys are manually added to
+    # installation device for head-less systems i.e. arm boards by manually
+    # mounting the storage in a different system.
     services.openssh = {
       enable = true;
-      # Allow password login to the installation, if the user sets a password via "passwd"
-      # It is safe as root doesn't have a password by default and SSH is disabled by default
       permitRootLogin = "yes";
     };
-    systemd.services.sshd.wantedBy = mkOverride 50 [];
 
     # Enable wpa_supplicant, but don't start it by default.
     networking.wireless.enable = mkDefault true;