diff options
| author | Florian Klink <flokli@flokli.de> | 2022-12-23 13:09:17 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-12-23 13:09:17 +0100 |
| commit | 6b1a896570a1652394a4e73cd1ad402edee437e2 (patch) | |
| tree | f348663fdb945dce15f3a8f46cbd9d85d5ab03a1 /nixos/modules/security | |
| parent | 17dc4d77f379f291b000ed17d829a00fce3640f3 (diff) | |
| parent | 05420f34cf7b8eb6acb1e18d918b1a9a78762473 (diff) | |
Merge pull request #205121 from alaviss/homed
nixos: systemd-homed support
Diffstat (limited to 'nixos/modules/security')
| -rw-r--r-- | nixos/modules/security/pam.nix | 27 |
1 files changed, 24 insertions, 3 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 273bc796341c2..4224722f8792c 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -488,6 +488,9 @@ let account [success=ok ignore=ignore default=die] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so account [success=ok default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so '' + + optionalString config.services.homed.enable '' + account sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so + '' + # The required pam_unix.so module has to come after all the sufficient modules # because otherwise, the account lookup will fail if the user does not exist # locally, for example with MySQL- or LDAP-auth. @@ -541,8 +544,10 @@ let # after it succeeds. Certain modules need to run after pam_unix # prompts the user for password so we run it once with 'optional' at an # earlier point and it will run again with 'sufficient' further down. - # We use try_first_pass the second time to avoid prompting password twice - (optionalString (cfg.unixAuth && + # We use try_first_pass the second time to avoid prompting password twice. + # + # The same principle applies to systemd-homed + (optionalString ((cfg.unixAuth || config.services.homed.enable) && (config.security.pam.enableEcryptfs || config.security.pam.enableFscrypt || cfg.pamMount @@ -553,7 +558,10 @@ let || cfg.failDelay.enable || cfg.duoSecurity.enable)) ( - '' + optionalString config.services.homed.enable '' + auth optional ${config.systemd.package}/lib/security/pam_systemd_home.so + '' + + optionalString cfg.unixAuth '' auth optional pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth '' + optionalString config.security.pam.enableEcryptfs '' @@ -584,6 +592,9 @@ let auth required ${pkgs.duo-unix}/lib/security/pam_duo.so '' )) + + optionalString config.services.homed.enable '' + auth sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so + '' + optionalString cfg.unixAuth '' auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass '' + @@ -605,6 +616,10 @@ let auth required pam_deny.so # Password management. + '' + + optionalString config.services.homed.enable '' + password sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so + '' + '' password sufficient pam_unix.so nullok sha512 '' + optionalString config.security.pam.enableEcryptfs '' @@ -650,6 +665,9 @@ let ++ optional (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}" ++ optional (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}" )) + + optionalString config.services.homed.enable '' + session required ${config.systemd.package}/lib/security/pam_systemd_home.so + '' + optionalString cfg.makeHomeDir '' session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0077 '' + @@ -1361,6 +1379,9 @@ in '' + optionalString config.virtualisation.lxc.lxcfs.enable '' mr ${pkgs.lxc}/lib/security/pam_cgfs.so + '' + + optionalString config.services.homed.enable '' + mr ${config.systemd.package}/lib/security/pam_systemd_home.so ''; }; |