mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-07-14 06:00:33 +03:00
nixos/shadow: clean up module
This commit is contained in:
parent
725777250b
commit
edd19efe4e
1 changed files with 34 additions and 36 deletions
|
@ -4,7 +4,7 @@ let
|
||||||
cfg = config.security.loginDefs;
|
cfg = config.security.loginDefs;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options = with lib.types; {
|
options = {
|
||||||
|
|
||||||
security.shadow.enable = lib.mkEnableOption "" // {
|
security.shadow.enable = lib.mkEnableOption "" // {
|
||||||
default = true;
|
default = true;
|
||||||
|
@ -23,7 +23,7 @@ in
|
||||||
description = ''
|
description = ''
|
||||||
Use chfn SUID to allow non-root users to change their account GECOS information.
|
Use chfn SUID to allow non-root users to change their account GECOS information.
|
||||||
'';
|
'';
|
||||||
type = nullOr str;
|
type = lib.types.nullOr lib.types.str;
|
||||||
default = null;
|
default = null;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -33,7 +33,7 @@ in
|
||||||
the site-specific configuration for the shadow password suite.
|
the site-specific configuration for the shadow password suite.
|
||||||
See login.defs(5) man page for available options.
|
See login.defs(5) man page for available options.
|
||||||
'';
|
'';
|
||||||
type = submodule {
|
type = lib.types.submodule {
|
||||||
freeformType = (pkgs.formats.keyValue { }).type;
|
freeformType = (pkgs.formats.keyValue { }).type;
|
||||||
/* There are three different sources for user/group id ranges, each of which gets
|
/* There are three different sources for user/group id ranges, each of which gets
|
||||||
used by different programs:
|
used by different programs:
|
||||||
|
@ -48,62 +48,62 @@ in
|
||||||
DEFAULT_HOME = lib.mkOption {
|
DEFAULT_HOME = lib.mkOption {
|
||||||
description = "Indicate if login is allowed if we can't cd to the home directory.";
|
description = "Indicate if login is allowed if we can't cd to the home directory.";
|
||||||
default = "yes";
|
default = "yes";
|
||||||
type = enum [ "yes" "no" ];
|
type = lib.types.enum [ "yes" "no" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
ENCRYPT_METHOD = lib.mkOption {
|
ENCRYPT_METHOD = lib.mkOption {
|
||||||
description = "This defines the system default encryption algorithm for encrypting passwords.";
|
description = "This defines the system default encryption algorithm for encrypting passwords.";
|
||||||
# The default crypt() method, keep in sync with the PAM default
|
# The default crypt() method, keep in sync with the PAM default
|
||||||
default = "YESCRYPT";
|
default = "YESCRYPT";
|
||||||
type = enum [ "YESCRYPT" "SHA512" "SHA256" "MD5" "DES"];
|
type = lib.types.enum [ "YESCRYPT" "SHA512" "SHA256" "MD5" "DES"];
|
||||||
};
|
};
|
||||||
|
|
||||||
SYS_UID_MIN = lib.mkOption {
|
SYS_UID_MIN = lib.mkOption {
|
||||||
description = "Range of user IDs used for the creation of system users by useradd or newusers.";
|
description = "Range of user IDs used for the creation of system users by useradd or newusers.";
|
||||||
default = 400;
|
default = 400;
|
||||||
type = int;
|
type = lib.types.int;
|
||||||
};
|
};
|
||||||
|
|
||||||
SYS_UID_MAX = lib.mkOption {
|
SYS_UID_MAX = lib.mkOption {
|
||||||
description = "Range of user IDs used for the creation of system users by useradd or newusers.";
|
description = "Range of user IDs used for the creation of system users by useradd or newusers.";
|
||||||
default = 999;
|
default = 999;
|
||||||
type = int;
|
type = lib.types.int;
|
||||||
};
|
};
|
||||||
|
|
||||||
UID_MIN = lib.mkOption {
|
UID_MIN = lib.mkOption {
|
||||||
description = "Range of user IDs used for the creation of regular users by useradd or newusers.";
|
description = "Range of user IDs used for the creation of regular users by useradd or newusers.";
|
||||||
default = 1000;
|
default = 1000;
|
||||||
type = int;
|
type = lib.types.int;
|
||||||
};
|
};
|
||||||
|
|
||||||
UID_MAX = lib.mkOption {
|
UID_MAX = lib.mkOption {
|
||||||
description = "Range of user IDs used for the creation of regular users by useradd or newusers.";
|
description = "Range of user IDs used for the creation of regular users by useradd or newusers.";
|
||||||
default = 29999;
|
default = 29999;
|
||||||
type = int;
|
type = lib.types.int;
|
||||||
};
|
};
|
||||||
|
|
||||||
SYS_GID_MIN = lib.mkOption {
|
SYS_GID_MIN = lib.mkOption {
|
||||||
description = "Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers";
|
description = "Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers";
|
||||||
default = 400;
|
default = 400;
|
||||||
type = int;
|
type = lib.types.int;
|
||||||
};
|
};
|
||||||
|
|
||||||
SYS_GID_MAX = lib.mkOption {
|
SYS_GID_MAX = lib.mkOption {
|
||||||
description = "Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers";
|
description = "Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers";
|
||||||
default = 999;
|
default = 999;
|
||||||
type = int;
|
type = lib.types.int;
|
||||||
};
|
};
|
||||||
|
|
||||||
GID_MIN = lib.mkOption {
|
GID_MIN = lib.mkOption {
|
||||||
description = "Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.";
|
description = "Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.";
|
||||||
default = 1000;
|
default = 1000;
|
||||||
type = int;
|
type = lib.types.int;
|
||||||
};
|
};
|
||||||
|
|
||||||
GID_MAX = lib.mkOption {
|
GID_MAX = lib.mkOption {
|
||||||
description = "Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.";
|
description = "Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.";
|
||||||
default = 29999;
|
default = 29999;
|
||||||
type = int;
|
type = lib.types.int;
|
||||||
};
|
};
|
||||||
|
|
||||||
TTYGROUP = lib.mkOption {
|
TTYGROUP = lib.mkOption {
|
||||||
|
@ -111,7 +111,7 @@ in
|
||||||
The terminal permissions: the login tty will be owned by the TTYGROUP group,
|
The terminal permissions: the login tty will be owned by the TTYGROUP group,
|
||||||
and the permissions will be set to TTYPERM'';
|
and the permissions will be set to TTYPERM'';
|
||||||
default = "tty";
|
default = "tty";
|
||||||
type = str;
|
type = lib.types.str;
|
||||||
};
|
};
|
||||||
|
|
||||||
TTYPERM = lib.mkOption {
|
TTYPERM = lib.mkOption {
|
||||||
|
@ -119,14 +119,14 @@ in
|
||||||
The terminal permissions: the login tty will be owned by the TTYGROUP group,
|
The terminal permissions: the login tty will be owned by the TTYGROUP group,
|
||||||
and the permissions will be set to TTYPERM'';
|
and the permissions will be set to TTYPERM'';
|
||||||
default = "0620";
|
default = "0620";
|
||||||
type = str;
|
type = lib.types.str;
|
||||||
};
|
};
|
||||||
|
|
||||||
# Ensure privacy for newly created home directories.
|
# Ensure privacy for newly created home directories.
|
||||||
UMASK = lib.mkOption {
|
UMASK = lib.mkOption {
|
||||||
description = "The file mode creation mask is initialized to this value.";
|
description = "The file mode creation mask is initialized to this value.";
|
||||||
default = "077";
|
default = "077";
|
||||||
type = str;
|
type = lib.types.str;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -143,7 +143,7 @@ in
|
||||||
used outside the store (in particular in /etc/passwd).
|
used outside the store (in particular in /etc/passwd).
|
||||||
'';
|
'';
|
||||||
example = lib.literalExpression "pkgs.zsh";
|
example = lib.literalExpression "pkgs.zsh";
|
||||||
type = either path shellPackage;
|
type = lib.types.either lib.types.path lib.types.shellPackage;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -178,12 +178,11 @@ in
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
security.loginDefs.settings.CHFN_RESTRICT =
|
security.loginDefs.settings.CHFN_RESTRICT = lib.mkIf (cfg.chfnRestrict != null) cfg.chfnRestrict;
|
||||||
lib.mkIf (cfg.chfnRestrict != null) cfg.chfnRestrict;
|
|
||||||
|
|
||||||
environment.systemPackages = lib.optional config.users.mutableUsers cfg.package
|
environment.systemPackages = lib.optional config.users.mutableUsers cfg.package
|
||||||
++ lib.optional (lib.types.shellPackage.check config.users.defaultUserShell) config.users.defaultUserShell
|
++ lib.optional (lib.types.shellPackage.check config.users.defaultUserShell) config.users.defaultUserShell
|
||||||
++ lib.optional (cfg.chfnRestrict != null) pkgs.util-linux;
|
++ lib.optional (cfg.chfnRestrict != null) pkgs.util-linux;
|
||||||
|
|
||||||
environment.etc =
|
environment.etc =
|
||||||
# Create custom toKeyValue generator
|
# Create custom toKeyValue generator
|
||||||
|
@ -192,23 +191,22 @@ in
|
||||||
toKeyValue = lib.generators.toKeyValue {
|
toKeyValue = lib.generators.toKeyValue {
|
||||||
mkKeyValue = lib.generators.mkKeyValueDefault { } " ";
|
mkKeyValue = lib.generators.mkKeyValueDefault { } " ";
|
||||||
};
|
};
|
||||||
in
|
in {
|
||||||
{
|
# /etc/login.defs: global configuration for pwdutils.
|
||||||
# /etc/login.defs: global configuration for pwdutils.
|
# You cannot login without it!
|
||||||
# You cannot login without it!
|
"login.defs".source = pkgs.writeText "login.defs" (toKeyValue cfg.settings);
|
||||||
"login.defs".source = pkgs.writeText "login.defs" (toKeyValue cfg.settings);
|
|
||||||
|
|
||||||
# /etc/default/useradd: configuration for useradd.
|
# /etc/default/useradd: configuration for useradd.
|
||||||
"default/useradd".source = pkgs.writeText "useradd" ''
|
"default/useradd".source = pkgs.writeText "useradd" ''
|
||||||
GROUP=100
|
GROUP=100
|
||||||
HOME=/home
|
HOME=/home
|
||||||
SHELL=${utils.toShellPath config.users.defaultUserShell}
|
SHELL=${utils.toShellPath config.users.defaultUserShell}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
security.pam.services = {
|
security.pam.services = {
|
||||||
chsh = { rootOK = true; };
|
chsh.rootOK = true;
|
||||||
chfn = { rootOK = true; };
|
chfn.rootOK = true;
|
||||||
su = {
|
su = {
|
||||||
rootOK = true;
|
rootOK = true;
|
||||||
forwardXAuth = true;
|
forwardXAuth = true;
|
||||||
|
@ -231,7 +229,7 @@ in
|
||||||
showMotd = true;
|
showMotd = true;
|
||||||
updateWtmp = true;
|
updateWtmp = true;
|
||||||
};
|
};
|
||||||
chpasswd = { rootOK = true; };
|
chpasswd.rootOK = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
security.wrappers =
|
security.wrappers =
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue