movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-10 03:23:29 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/pam: conditional enabling of services

Browse source
This commit is contained in:
Ryan Hendrickson 2025-04-15 23:19:42 -04:00
parent 1227010d7c
commit 2ef165538a
4 changed files with 21 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

2
nixos/doc/manual/release-notes/rl-2505.section.md
View file

@ -441,6 +441,8 @@
- Overriding Wayland compositor is possible using `waylandSessionCompositor` option, but you might need to take care [`xfce4-session`](https://gitlab.xfce.org/xfce/xfce4-session/-/merge_requests/49), [`dbus-update-activation-environment`](https://github.com/labwc/labwc/blob/eaf11face68ee1f1bcc7ce1498304ca8c108c8ba/src/config/session.c#L234) and [`systemctl --user import-environment`](https://github.com/labwc/labwc/blob/eaf11face68ee1f1bcc7ce1498304ca8c108c8ba/src/config/session.c#L239) on startup. - Overriding Wayland compositor is possible using `waylandSessionCompositor` option, but you might need to take care [`xfce4-session`](https://gitlab.xfce.org/xfce/xfce4-session/-/merge_requests/49), [`dbus-update-activation-environment`](https://github.com/labwc/labwc/blob/eaf11face68ee1f1bcc7ce1498304ca8c108c8ba/src/config/session.c#L234) and [`systemctl --user import-environment`](https://github.com/labwc/labwc/blob/eaf11face68ee1f1bcc7ce1498304ca8c108c8ba/src/config/session.c#L239) on startup.
- For new Xfce installations, default panel layout has [changed](https://gitlab.xfce.org/xfce/xfce4-panel/-/merge_requests/158/diffs) to not include external panel plugins by default. You can still add them yourself using the "Panel Preferences" dialog. - For new Xfce installations, default panel layout has [changed](https://gitlab.xfce.org/xfce/xfce4-panel/-/merge_requests/158/diffs) to not include external panel plugins by default. You can still add them yourself using the "Panel Preferences" dialog.
- PAM services for `i3lock`/`i3lock-color`, `vlock`, `xlock`, and `xscreensaver` now default to disabled unless other corresponding NixOS options are set (`programs.i3lock.enable`, `console.enable`, `services.xserver.enable`, and `services.xscreensaver.enable`, respectively). If for some reason you want one of them back without setting the corresponding option, set, e.g., `security.pam.services.xlock.enable = true`.
- [`system.stateVersion`](#opt-system.stateVersion) is now validated and must be in the `"YY.MM"` format, ideally corresponding to a prior NixOS release. - [`system.stateVersion`](#opt-system.stateVersion) is now validated and must be in the `"YY.MM"` format, ideally corresponding to a prior NixOS release.
- `services.mysql` now supports easy cluster setup via [`services.mysql.galeraCluster`](#opt-services.mysql.galeraCluster.enable) option. - `services.mysql` now supports easy cluster setup via [`services.mysql.galeraCluster`](#opt-services.mysql.galeraCluster.enable) option.

23
nixos/modules/security/pam.nix
View file

@ -145,6 +145,11 @@ let
description = "Name of the PAM service."; description = "Name of the PAM service.";
}; };
enable = lib.mkEnableOption "this PAM service" // {
default = true;
example = false;
};
rules = lib.mkOption { rules = lib.mkOption {
# This option is experimental and subject to breaking changes without notice. # This option is experimental and subject to breaking changes without notice.
visible = false; visible = false;
@ -1566,6 +1571,8 @@ let
Defaults env_keep+=SSH_AUTH_SOCK Defaults env_keep+=SSH_AUTH_SOCK
''; '';
enabledServices = lib.filterAttrs (name: svc: svc.enable) config.security.pam.services;
in in
{ {
@ -2282,7 +2289,7 @@ in
}; };
}; };
environment.etc = lib.mapAttrs' makePAMService config.security.pam.services; environment.etc = lib.mapAttrs' makePAMService enabledServices;
security.pam.services = security.pam.services =
{ {
@ -2298,11 +2305,11 @@ in
''; '';
# Most of these should be moved to specific modules. # Most of these should be moved to specific modules.
i3lock = { }; i3lock.enable = lib.mkDefault config.programs.i3lock.enable;
i3lock-color = { }; i3lock-color.enable = lib.mkDefault config.programs.i3lock.enable;
vlock = { }; vlock.enable = lib.mkDefault config.console.enable;
xlock = { }; xlock.enable = lib.mkDefault config.services.xserver.enable;
xscreensaver = { }; xscreensaver.enable = lib.mkDefault config.services.xscreensaver.enable;
runuser = { runuser = {
rootOK = true; rootOK = true;
@ -2327,11 +2334,11 @@ in
security.apparmor.includes."abstractions/pam" = security.apparmor.includes."abstractions/pam" =
lib.concatMapStrings (name: "r ${config.environment.etc."pam.d/${name}".source},\n") ( lib.concatMapStrings (name: "r ${config.environment.etc."pam.d/${name}".source},\n") (
lib.attrNames config.security.pam.services lib.attrNames enabledServices
) )
+ ( + (
with lib; with lib;
pipe config.security.pam.services [ pipe enabledServices [
lib.attrValues lib.attrValues
(catAttrs "rules") (catAttrs "rules")
(lib.concatMap lib.attrValues) (lib.concatMap lib.attrValues)

2
nixos/modules/security/pam_mount.nix
View file

@ -15,7 +15,7 @@ let
${pkgs.lsof}/bin/lsof | ${pkgs.gnugrep}/bin/grep $MNTPT | ${pkgs.gawk}/bin/awk '{print $2}' | ${pkgs.findutils}/bin/xargs ${pkgs.util-linux}/bin/kill -$SIGNAL ${pkgs.lsof}/bin/lsof | ${pkgs.gnugrep}/bin/grep $MNTPT | ${pkgs.gawk}/bin/awk '{print $2}' | ${pkgs.findutils}/bin/xargs ${pkgs.util-linux}/bin/kill -$SIGNAL
''; '';
anyPamMount = lib.any (lib.attrByPath [ "pamMount" ] false) ( anyPamMount = lib.any (svc: svc.enable && svc.pamMount) (
lib.attrValues config.security.pam.services lib.attrValues config.security.pam.services
); );
in in

6
nixos/modules/services/x11/display-managers/gdm.nix
View file

@ -9,7 +9,7 @@ let
cfg = config.services.xserver.displayManager; cfg = config.services.xserver.displayManager;
gdm = pkgs.gdm; gdm = pkgs.gdm;
pamCfg = config.security.pam.services; pamLogin = config.security.pam.services.login;
settingsFormat = pkgs.formats.ini { }; settingsFormat = pkgs.formats.ini { };
configFile = settingsFormat.generate "custom.conf" cfg.gdm.settings; configFile = settingsFormat.generate "custom.conf" cfg.gdm.settings;
@ -345,7 +345,7 @@ in
gdm-autologin.text = '' gdm-autologin.text = ''
auth requisite pam_nologin.so auth requisite pam_nologin.so
auth required pam_succeed_if.so uid >= 1000 quiet auth required pam_succeed_if.so uid >= 1000 quiet
${lib.optionalString pamCfg.login.enableGnomeKeyring '' ${lib.optionalString (pamLogin.enable && pamLogin.enableGnomeKeyring) ''
auth [success=ok default=1] ${gdm}/lib/security/pam_gdm.so auth [success=ok default=1] ${gdm}/lib/security/pam_gdm.so
auth optional ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so auth optional ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so
''} ''}
@ -369,7 +369,7 @@ in
auth requisite pam_faillock.so preauth auth requisite pam_faillock.so preauth
auth required ${pkgs.fprintd}/lib/security/pam_fprintd.so auth required ${pkgs.fprintd}/lib/security/pam_fprintd.so
auth required pam_env.so auth required pam_env.so
${lib.optionalString pamCfg.login.enableGnomeKeyring '' ${lib.optionalString (pamLogin.enable && pamLogin.enableGnomeKeyring) ''
auth [success=ok default=1] ${gdm}/lib/security/pam_gdm.so auth [success=ok default=1] ${gdm}/lib/security/pam_gdm.so
auth optional ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so auth optional ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so
''} ''}