Provide root account in emergency shell

mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/50-rafeos-base.preset

@@ -2,4 +2,8 @@
 enable apparmor.service
 
 # Displays boot-time emergency log message in full screen.
-enable systemd-bsod.service
+enable systemd-bsod.service
+
+# Populates empty /etc/ca-certificates/extracted/, /etc/ssl/certs
+# and /etc/ssl/certs/java/cacerts on new user root
+enable update-ca-certificates.service

mkosi.images/base/mkosi.extra/usr/lib/systemd/system/update-ca-certificates.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Update CA certificates
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/update-ca-trust extract
+
+[Install]
+WantedBy=multi-user.target

mkosi.images/base/mkosi.extra/usr/lib/tmpfiles.d/20-update-ca-trust.conf

@@ -0,0 +1,5 @@
+# Create missing directories for update-ca-certificates.service
+d     /etc/ca-certificates/extracted        0755 root root - -
+d     /etc/ca-certificates/extracted/cadir  0755 root root - -
+d     /etc/ssl/certs                        0755 root root - -
+d     /etc/ssl/certs/java                   0755 root root - -

mkosi.images/base/mkosi.skeleton/etc/mkinitcpio.conf.d/mkinitcpio.conf

@@ -9,5 +9,6 @@ HOOKS=(
     sd-vconsole
     sd-encrypt
     filesystems
+    rootaccount
     fsck
 )

mkosi.images/initrd/mkosi.extra/usr/lib/initcpio/install/rootaccount

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+build() {
+    echo "root:x:0:0:root:/root:/bin/sh" >"$BUILDROOT/etc/passwd"
+    echo 'root:$6$DXr1u5U4Oq9jnjbV$isIW7SHl8nW.GZNsWs6CD.SXaeeInSf2TsBS33DcybFkD0WZyex4Dz1AvEKCfGiCyyKGSDGkOVrl6JHT2.6b1/:::::::' >"$BUILDROOT/etc/shadow"
+}
+
+help() {
+    cat <<EOF
+Enables root access on emergency console.
+EOF
+}

mkosi.images/server/mkosi.conf

@@ -13,7 +13,6 @@ CompressOutput=xz
 [Content]
 Bootable=yes
 SourceDateEpoch=0
-Autologin=yes
 BaseTrees=../../mkosi.output/base/
 Initrds=../../mkosi.output/initrd
 CleanPackageMetadata=yes