movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-19 16:40:32 +03:00
Code Activity
nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix
Silvan Mosberger d9d87c5196 treewide: format all inactive Nix files 
After final improvements to the official formatter implementation,
this commit now performs the first treewide reformat of Nix files using it.
This is part of the implementation of RFC 166.

Only "inactive" files are reformatted, meaning only files that
aren't being touched by any PR with activity in the past 2 months.
This is to avoid conflicts for PRs that might soon be merged.
Later we can do a full treewide reformat to get the rest,
which should not cause as many conflicts.

A CI check has already been running for some time to ensure that new and
already-formatted files are formatted, so the files being reformatted here
should also stay formatted.

This commit was automatically created and can be verified using

    nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \
      --argstr baseRev 0128fbb0a5
    result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:29:24 +01:00

387 lines
12 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.xserver.displayManager;
gdm = pkgs.gdm;
pamCfg = config.security.pam.services;
settingsFormat = pkgs.formats.ini { };
configFile = settingsFormat.generate "custom.conf" cfg.gdm.settings;
xSessionWrapper =
if (cfg.setupCommands == "") then
null
else
pkgs.writeScript "gdm-x-session-wrapper" ''
#!${pkgs.bash}/bin/bash
${cfg.setupCommands}
exec "$@"
'';
# Solves problems like:
# https://wiki.archlinux.org/index.php/Talk:Bluetooth_headset#GDMs_pulseaudio_instance_captures_bluetooth_headset
# Instead of blacklisting plugins, we use Fedora's PulseAudio configuration for GDM:
# https://src.fedoraproject.org/rpms/gdm/blob/master/f/default.pa-for-gdm
pulseConfig = pkgs.writeText "default.pa" ''
load-module module-device-restore
load-module module-card-restore
load-module module-udev-detect
load-module module-native-protocol-unix
load-module module-default-device-restore
load-module module-always-sink
load-module module-intended-roles
load-module module-suspend-on-idle
load-module module-position-event-sounds
'';
defaultSessionName = config.services.displayManager.defaultSession;
setSessionScript = pkgs.callPackage ./account-service-util.nix { };
in
{
imports = [
(lib.mkRenamedOptionModule
[ "services" "xserver" "displayManager" "gdm" "autoLogin" "enable" ]
[
"services"
"displayManager"
"autoLogin"
"enable"
]
)
(lib.mkRenamedOptionModule
[ "services" "xserver" "displayManager" "gdm" "autoLogin" "user" ]
[
"services"
"displayManager"
"autoLogin"
"user"
]
)
(lib.mkRemovedOptionModule [
"services"
"xserver"
"displayManager"
"gdm"
"nvidiaWayland"
] "We defer to GDM whether Wayland should be enabled.")
];
meta = {
maintainers = lib.teams.gnome.members;
};
###### interface
options = {
services.xserver.displayManager.gdm = {
enable = lib.mkEnableOption "GDM, the GNOME Display Manager";
debug = lib.mkEnableOption "debugging messages in GDM";
# Auto login options specific to GDM
autoLogin.delay = lib.mkOption {
type = lib.types.int;
default = 0;
description = ''
Seconds of inactivity after which the autologin will be performed.
'';
};
wayland = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Allow GDM to run on Wayland instead of Xserver.
'';
};
autoSuspend = lib.mkOption {
default = true;
description = ''
On the GNOME Display Manager login screen, suspend the machine after inactivity.
(Does not affect automatic suspend while logged in, or at lock screen.)
'';
type = lib.types.bool;
};
banner = lib.mkOption {
type = lib.types.nullOr lib.types.lines;
default = null;
example = ''
foo
bar
baz
'';
description = ''
Optional message to display on the login screen.
'';
};
settings = lib.mkOption {
type = settingsFormat.type;
default = { };
example = {
debug.enable = true;
};
description = ''
Options passed to the gdm daemon.
See [here](https://help.gnome.org/admin/gdm/stable/configuration.html.en#daemonconfig) for supported options.
'';
};
};
};
###### implementation
config = lib.mkIf cfg.gdm.enable {
services.xserver.displayManager.lightdm.enable = false;
users.users.gdm = {
name = "gdm";
uid = config.ids.uids.gdm;
group = "gdm";
home = "/run/gdm";
description = "GDM user";
};
users.groups.gdm.gid = config.ids.gids.gdm;
# GDM needs different xserverArgs, presumable because using wayland by default.
services.xserver.tty = null;
services.xserver.display = null;
services.xserver.verbose = null;
services.displayManager = {
# Enable desktop session data
enable = true;
environment =
{
GDM_X_SERVER_EXTRA_ARGS = toString (lib.filter (arg: arg != "-terminate") cfg.xserverArgs);
XDG_DATA_DIRS = lib.makeSearchPath "share" [
gdm # for gnome-login.session
config.services.displayManager.sessionData.desktops
pkgs.gnome-control-center # for accessibility icon
pkgs.adwaita-icon-theme
pkgs.hicolor-icon-theme # empty icon theme as a base
];
}
// lib.optionalAttrs (xSessionWrapper != null) {
# Make GDM use this wrapper before running the session, which runs the
# configured setupCommands. This relies on a patched GDM which supports
# this environment variable.
GDM_X_SESSION_WRAPPER = "${xSessionWrapper}";
};
execCmd = "exec ${gdm}/bin/gdm";
preStart = lib.optionalString (defaultSessionName != null) ''
# Set default session in session chooser to a specified values basically ignore session history.
${setSessionScript}/bin/set-session ${config.services.displayManager.sessionData.autologinSession}
'';
};
systemd.tmpfiles.rules =
[
"d /run/gdm/.config 0711 gdm gdm"
]
++ lib.optionals config.hardware.pulseaudio.enable [
"d /run/gdm/.config/pulse 0711 gdm gdm"
"L+ /run/gdm/.config/pulse/${pulseConfig.name} - - - - ${pulseConfig}"
]
++ lib.optionals config.services.gnome.gnome-initial-setup.enable [
# Create stamp file for gnome-initial-setup to prevent it starting in GDM.
"f /run/gdm/.config/gnome-initial-setup-done 0711 gdm gdm - yes"
];
# Otherwise GDM will not be able to start correctly and display Wayland sessions
systemd.packages = with pkgs.gnome; [
gdm
pkgs.gnome-session
pkgs.gnome-shell
];
environment.systemPackages = [ pkgs.adwaita-icon-theme ];
# We dont use the upstream gdm service
# it has to be disabled since the gdm package has it
# https://github.com/NixOS/nixpkgs/issues/108672
systemd.services.gdm.enable = false;
systemd.services.display-manager.wants = [
# Because sd_login_monitor_new requires /run/systemd/machines
"systemd-machined.service"
# setSessionScript wants AccountsService
"accounts-daemon.service"
];
systemd.services.display-manager.after = [
"rc-local.service"
"systemd-machined.service"
"systemd-user-sessions.service"
"getty@tty${gdm.initialVT}.service"
"plymouth-quit.service"
"plymouth-start.service"
];
systemd.services.display-manager.conflicts = [
"getty@tty${gdm.initialVT}.service"
"plymouth-quit.service"
];
systemd.services.display-manager.onFailure = [
"plymouth-quit.service"
];
# Prevent nixos-rebuild switch from bringing down the graphical
# session. (If multi-user.target wants plymouth-quit.service which
# conflicts display-manager.service, then when nixos-rebuild
# switch starts multi-user.target, display-manager.service is
# stopped so plymouth-quit.service can be started.)
systemd.services.plymouth-quit = lib.mkIf config.boot.plymouth.enable {
wantedBy = lib.mkForce [ ];
};
systemd.services.display-manager.serviceConfig = {
# Restart = "always"; - already defined in xserver.nix
KillMode = "mixed";
IgnoreSIGPIPE = "no";
BusName = "org.gnome.DisplayManager";
StandardError = "inherit";
ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
KeyringMode = "shared";
EnvironmentFile = "-/etc/locale.conf";
};
systemd.services.display-manager.path = [ pkgs.gnome-session ];
# Allow choosing an user account
services.accounts-daemon.enable = true;
services.dbus.packages = [ gdm ];
systemd.user.services.dbus.wantedBy = [ "default.target" ];
programs.dconf.profiles.gdm.databases =
lib.optionals (!cfg.gdm.autoSuspend) [
{
settings."org/gnome/settings-daemon/plugins/power" = {
sleep-inactive-ac-type = "nothing";
sleep-inactive-battery-type = "nothing";
sleep-inactive-ac-timeout = lib.gvariant.mkInt32 0;
sleep-inactive-battery-timeout = lib.gvariant.mkInt32 0;
};
}
]
++ lib.optionals (cfg.gdm.banner != null) [
{
settings."org/gnome/login-screen" = {
banner-message-enable = true;
banner-message-text = cfg.gdm.banner;
};
}
]
++ [ "${gdm}/share/gdm/greeter-dconf-defaults" ];
# Use AutomaticLogin if delay is zero, because it's immediate.
# Otherwise with TimedLogin with zero seconds the prompt is still
# presented and there's a little delay.
services.xserver.displayManager.gdm.settings = {
daemon = lib.mkMerge [
{ WaylandEnable = cfg.gdm.wayland; }
# nested if else didn't work
(lib.mkIf (config.services.displayManager.autoLogin.enable && cfg.gdm.autoLogin.delay != 0) {
TimedLoginEnable = true;
TimedLogin = config.services.displayManager.autoLogin.user;
TimedLoginDelay = cfg.gdm.autoLogin.delay;
})
(lib.mkIf (config.services.displayManager.autoLogin.enable && cfg.gdm.autoLogin.delay == 0) {
AutomaticLoginEnable = true;
AutomaticLogin = config.services.displayManager.autoLogin.user;
})
];
debug = lib.mkIf cfg.gdm.debug {
Enable = true;
};
};
environment.etc."gdm/custom.conf".source = configFile;
environment.etc."gdm/Xsession".source = config.services.displayManager.sessionData.wrapper;
# GDM LFS PAM modules, adapted somehow to NixOS
security.pam.services = {
gdm-launch-environment.text = ''
auth required pam_succeed_if.so audit quiet_success user = gdm
auth optional pam_permit.so
account required pam_succeed_if.so audit quiet_success user = gdm
account sufficient pam_unix.so
password required pam_deny.so
session required pam_succeed_if.so audit quiet_success user = gdm
session required pam_env.so conffile=/etc/pam/environment readenv=0
session optional ${config.systemd.package}/lib/security/pam_systemd.so
session optional pam_keyinit.so force revoke
session optional pam_permit.so
'';
gdm-password.text = ''
auth substack login
account include login
password substack login
session include login
'';
gdm-autologin.text = ''
auth requisite pam_nologin.so
auth required pam_succeed_if.so uid >= 1000 quiet
${lib.optionalString pamCfg.login.enableGnomeKeyring ''
auth [success=ok default=1] ${gdm}/lib/security/pam_gdm.so
auth optional ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so
''}
auth required pam_permit.so
account sufficient pam_unix.so
password requisite pam_unix.so nullok yescrypt
session optional pam_keyinit.so revoke
session include login
'';
# This would block password prompt when included by gdm-password.
# GDM will instead run gdm-fingerprint in parallel.
login.fprintAuth = lib.mkIf config.services.fprintd.enable false;
gdm-fingerprint.text = lib.mkIf config.services.fprintd.enable ''
auth required pam_shells.so
auth requisite pam_nologin.so
auth requisite pam_faillock.so preauth
auth required ${pkgs.fprintd}/lib/security/pam_fprintd.so
auth required pam_env.so
${lib.optionalString pamCfg.login.enableGnomeKeyring ''
auth [success=ok default=1] ${gdm}/lib/security/pam_gdm.so
auth optional ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so
''}
account include login
password required pam_deny.so
session include login
'';
};
};
}
View git blame Copy permalink