0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-14 06:00:33 +03:00

nixos/shadow: clean up module

This commit is contained in:
Tom Fitzhenry 2024-05-19 06:12:53 +10:00 committed by tomf
parent 725777250b
commit edd19efe4e

View file

@ -4,7 +4,7 @@ let
cfg = config.security.loginDefs; cfg = config.security.loginDefs;
in in
{ {
options = with lib.types; { options = {
security.shadow.enable = lib.mkEnableOption "" // { security.shadow.enable = lib.mkEnableOption "" // {
default = true; default = true;
@ -23,7 +23,7 @@ in
description = '' description = ''
Use chfn SUID to allow non-root users to change their account GECOS information. Use chfn SUID to allow non-root users to change their account GECOS information.
''; '';
type = nullOr str; type = lib.types.nullOr lib.types.str;
default = null; default = null;
}; };
@ -33,7 +33,7 @@ in
the site-specific configuration for the shadow password suite. the site-specific configuration for the shadow password suite.
See login.defs(5) man page for available options. See login.defs(5) man page for available options.
''; '';
type = submodule { type = lib.types.submodule {
freeformType = (pkgs.formats.keyValue { }).type; freeformType = (pkgs.formats.keyValue { }).type;
/* There are three different sources for user/group id ranges, each of which gets /* There are three different sources for user/group id ranges, each of which gets
used by different programs: used by different programs:
@ -48,62 +48,62 @@ in
DEFAULT_HOME = lib.mkOption { DEFAULT_HOME = lib.mkOption {
description = "Indicate if login is allowed if we can't cd to the home directory."; description = "Indicate if login is allowed if we can't cd to the home directory.";
default = "yes"; default = "yes";
type = enum [ "yes" "no" ]; type = lib.types.enum [ "yes" "no" ];
}; };
ENCRYPT_METHOD = lib.mkOption { ENCRYPT_METHOD = lib.mkOption {
description = "This defines the system default encryption algorithm for encrypting passwords."; description = "This defines the system default encryption algorithm for encrypting passwords.";
# The default crypt() method, keep in sync with the PAM default # The default crypt() method, keep in sync with the PAM default
default = "YESCRYPT"; default = "YESCRYPT";
type = enum [ "YESCRYPT" "SHA512" "SHA256" "MD5" "DES"]; type = lib.types.enum [ "YESCRYPT" "SHA512" "SHA256" "MD5" "DES"];
}; };
SYS_UID_MIN = lib.mkOption { SYS_UID_MIN = lib.mkOption {
description = "Range of user IDs used for the creation of system users by useradd or newusers."; description = "Range of user IDs used for the creation of system users by useradd or newusers.";
default = 400; default = 400;
type = int; type = lib.types.int;
}; };
SYS_UID_MAX = lib.mkOption { SYS_UID_MAX = lib.mkOption {
description = "Range of user IDs used for the creation of system users by useradd or newusers."; description = "Range of user IDs used for the creation of system users by useradd or newusers.";
default = 999; default = 999;
type = int; type = lib.types.int;
}; };
UID_MIN = lib.mkOption { UID_MIN = lib.mkOption {
description = "Range of user IDs used for the creation of regular users by useradd or newusers."; description = "Range of user IDs used for the creation of regular users by useradd or newusers.";
default = 1000; default = 1000;
type = int; type = lib.types.int;
}; };
UID_MAX = lib.mkOption { UID_MAX = lib.mkOption {
description = "Range of user IDs used for the creation of regular users by useradd or newusers."; description = "Range of user IDs used for the creation of regular users by useradd or newusers.";
default = 29999; default = 29999;
type = int; type = lib.types.int;
}; };
SYS_GID_MIN = lib.mkOption { SYS_GID_MIN = lib.mkOption {
description = "Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers"; description = "Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers";
default = 400; default = 400;
type = int; type = lib.types.int;
}; };
SYS_GID_MAX = lib.mkOption { SYS_GID_MAX = lib.mkOption {
description = "Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers"; description = "Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers";
default = 999; default = 999;
type = int; type = lib.types.int;
}; };
GID_MIN = lib.mkOption { GID_MIN = lib.mkOption {
description = "Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers."; description = "Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.";
default = 1000; default = 1000;
type = int; type = lib.types.int;
}; };
GID_MAX = lib.mkOption { GID_MAX = lib.mkOption {
description = "Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers."; description = "Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.";
default = 29999; default = 29999;
type = int; type = lib.types.int;
}; };
TTYGROUP = lib.mkOption { TTYGROUP = lib.mkOption {
@ -111,7 +111,7 @@ in
The terminal permissions: the login tty will be owned by the TTYGROUP group, The terminal permissions: the login tty will be owned by the TTYGROUP group,
and the permissions will be set to TTYPERM''; and the permissions will be set to TTYPERM'';
default = "tty"; default = "tty";
type = str; type = lib.types.str;
}; };
TTYPERM = lib.mkOption { TTYPERM = lib.mkOption {
@ -119,14 +119,14 @@ in
The terminal permissions: the login tty will be owned by the TTYGROUP group, The terminal permissions: the login tty will be owned by the TTYGROUP group,
and the permissions will be set to TTYPERM''; and the permissions will be set to TTYPERM'';
default = "0620"; default = "0620";
type = str; type = lib.types.str;
}; };
# Ensure privacy for newly created home directories. # Ensure privacy for newly created home directories.
UMASK = lib.mkOption { UMASK = lib.mkOption {
description = "The file mode creation mask is initialized to this value."; description = "The file mode creation mask is initialized to this value.";
default = "077"; default = "077";
type = str; type = lib.types.str;
}; };
}; };
}; };
@ -143,7 +143,7 @@ in
used outside the store (in particular in /etc/passwd). used outside the store (in particular in /etc/passwd).
''; '';
example = lib.literalExpression "pkgs.zsh"; example = lib.literalExpression "pkgs.zsh";
type = either path shellPackage; type = lib.types.either lib.types.path lib.types.shellPackage;
}; };
}; };
@ -178,12 +178,11 @@ in
} }
]; ];
security.loginDefs.settings.CHFN_RESTRICT = security.loginDefs.settings.CHFN_RESTRICT = lib.mkIf (cfg.chfnRestrict != null) cfg.chfnRestrict;
lib.mkIf (cfg.chfnRestrict != null) cfg.chfnRestrict;
environment.systemPackages = lib.optional config.users.mutableUsers cfg.package environment.systemPackages = lib.optional config.users.mutableUsers cfg.package
++ lib.optional (lib.types.shellPackage.check config.users.defaultUserShell) config.users.defaultUserShell ++ lib.optional (lib.types.shellPackage.check config.users.defaultUserShell) config.users.defaultUserShell
++ lib.optional (cfg.chfnRestrict != null) pkgs.util-linux; ++ lib.optional (cfg.chfnRestrict != null) pkgs.util-linux;
environment.etc = environment.etc =
# Create custom toKeyValue generator # Create custom toKeyValue generator
@ -192,23 +191,22 @@ in
toKeyValue = lib.generators.toKeyValue { toKeyValue = lib.generators.toKeyValue {
mkKeyValue = lib.generators.mkKeyValueDefault { } " "; mkKeyValue = lib.generators.mkKeyValueDefault { } " ";
}; };
in in {
{ # /etc/login.defs: global configuration for pwdutils.
# /etc/login.defs: global configuration for pwdutils. # You cannot login without it!
# You cannot login without it! "login.defs".source = pkgs.writeText "login.defs" (toKeyValue cfg.settings);
"login.defs".source = pkgs.writeText "login.defs" (toKeyValue cfg.settings);
# /etc/default/useradd: configuration for useradd. # /etc/default/useradd: configuration for useradd.
"default/useradd".source = pkgs.writeText "useradd" '' "default/useradd".source = pkgs.writeText "useradd" ''
GROUP=100 GROUP=100
HOME=/home HOME=/home
SHELL=${utils.toShellPath config.users.defaultUserShell} SHELL=${utils.toShellPath config.users.defaultUserShell}
''; '';
}; };
security.pam.services = { security.pam.services = {
chsh = { rootOK = true; }; chsh.rootOK = true;
chfn = { rootOK = true; }; chfn.rootOK = true;
su = { su = {
rootOK = true; rootOK = true;
forwardXAuth = true; forwardXAuth = true;
@ -231,7 +229,7 @@ in
showMotd = true; showMotd = true;
updateWtmp = true; updateWtmp = true;
}; };
chpasswd = { rootOK = true; }; chpasswd.rootOK = true;
}; };
security.wrappers = security.wrappers =