NixOS molly-guard

I accidentally ran sudo reboot on my local desktop, thinking the shell was connected to a remote server over ssh. This rebooted the wrong system… Oops.

On Debian for years, I used a package molly-guard, and I had installed molly-guard on my NixOS desktop, but apparently I didn’t configure it correctly.

Default Molly-Guard Behavior #

I had molly-guard installed via environment.systemPackages, but its default config does not set ALWAYS_QUERY_HOSTNAME=true, so it didn’t prompt on local sessions.

Config Source #

Molly-guard reads its config from the Nix store path in its derivation, not from /etc/molly-guard/rc.

Initial Attempt with postInstall #

I added a postInstall step in the package override to edit $out/etc/molly-guard/rc and uncomment ALWAYS_QUERY_HOSTNAME=true, but this phase didn’t execute during the build. Apparently debian-derived packages do not have an ‘installPhasesopostInstall` never runs.

Successful Fix with postFixup #

I switched to a postFixup step instead:

 1let
 2  molly-guard-patched = pkgs.molly-guard.overrideAttrs (old: {
 3    postFixup = (old.postFixup or "") + ''
 4      sed -i '/ALWAYS_QUERY_HOSTNAME=true/s/^# *//' $out/etc/molly-guard/rc
 5    '';
 6  });
 7in
 8{
 9  environment.systemPackages = with pkgs; [
10    molly-guard-patched
11    # other packages...
12  ];
13}

After nixos-rebuild switch, this applied the change.

Verification #

To confirm:

1❯ grep SETTINGS `which reboot`
2MOLLYGUARD_SETTINGS="/nix/store/dpd7v9jla4a36sfdn0pdj9pj9hgzl42r-molly-guard-0.7.2/etc/molly-guard/rc"; export MOLLYGUARD_SETTINGS
3
4❯ grep ALWAYS_QUERY_HOSTNAME /nix/store/dpd7v9jla4a36sfdn0pdj9pj9hgzl42r-molly-guard-0.7.2/etc/molly-guard/rc
5ALWAYS_QUERY_HOSTNAME=true

Now, sudo reboot always prompts for the hostname, even locally.