diff options
author | Jörg Thalheim <joerg@thalheim.io> | 2021-07-28 06:28:25 +0200 |
---|---|---|
committer | Jörg Thalheim <joerg@thalheim.io> | 2021-08-20 23:43:30 +0200 |
commit | 1645acf1d3e9fc2f9a673e3caca9d5e66ca03827 (patch) | |
tree | 241f12ddc53a29a5e100b6e091e269c51b0b7eae /nixos | |
parent | 3dcb36f234d7191381992995e9960fd55a5d5832 (diff) |
nixos: reduce pam files rebuilds on updates
Before whenever environment variables changed, pam files had to be rebuild. This is expensive since each file needs its own sandbox set up.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/config/system-environment.nix | 70 | ||||
-rw-r--r-- | nixos/modules/security/pam.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/wayland/cage.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/x11/display-managers/gdm.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/x11/display-managers/lightdm.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/x11/display-managers/sddm.nix | 2 |
6 files changed, 39 insertions, 41 deletions
diff --git a/nixos/modules/config/system-environment.nix b/nixos/modules/config/system-environment.nix index 4888740ba3d53..d2a66b8d932df 100644 --- a/nixos/modules/config/system-environment.nix +++ b/nixos/modules/config/system-environment.nix @@ -65,42 +65,40 @@ in }; config = { - - system.build.pamEnvironment = - let - suffixedVariables = - flip mapAttrs cfg.profileRelativeSessionVariables (envVar: suffixes: - flip concatMap cfg.profiles (profile: - map (suffix: "${profile}${suffix}") suffixes - ) - ); - - # We're trying to use the same syntax for PAM variables and env variables. - # That means we need to map the env variables that people might use to their - # equivalent PAM variable. - replaceEnvVars = replaceStrings ["$HOME" "$USER"] ["@{HOME}" "@{PAM_USER}"]; - - pamVariable = n: v: - ''${n} DEFAULT="${concatStringsSep ":" (map replaceEnvVars (toList v))}"''; - - pamVariables = - concatStringsSep "\n" - (mapAttrsToList pamVariable - (zipAttrsWith (n: concatLists) - [ - # Make sure security wrappers are prioritized without polluting - # shell environments with an extra entry. Sessions which depend on - # pam for its environment will otherwise have eg. broken sudo. In - # particular Gnome Shell sometimes fails to source a proper - # environment from a shell. - { PATH = [ config.security.wrapperDir ]; } - - (mapAttrs (n: toList) cfg.sessionVariables) - suffixedVariables - ])); - in - pkgs.writeText "pam-environment" "${pamVariables}\n"; - + environment.etc."pam/environment".text = let + suffixedVariables = + flip mapAttrs cfg.profileRelativeSessionVariables (envVar: suffixes: + flip concatMap cfg.profiles (profile: + map (suffix: "${profile}${suffix}") suffixes + ) + ); + + # We're trying to use the same syntax for PAM variables and env variables. + # That means we need to map the env variables that people might use to their + # equivalent PAM variable. + replaceEnvVars = replaceStrings ["$HOME" "$USER"] ["@{HOME}" "@{PAM_USER}"]; + + pamVariable = n: v: + ''${n} DEFAULT="${concatStringsSep ":" (map replaceEnvVars (toList v))}"''; + + pamVariables = + concatStringsSep "\n" + (mapAttrsToList pamVariable + (zipAttrsWith (n: concatLists) + [ + # Make sure security wrappers are prioritized without polluting + # shell environments with an extra entry. Sessions which depend on + # pam for its environment will otherwise have eg. broken sudo. In + # particular Gnome Shell sometimes fails to source a proper + # environment from a shell. + { PATH = [ config.security.wrapperDir ]; } + + (mapAttrs (n: toList) cfg.sessionVariables) + suffixedVariables + ])); + in '' + ${pamVariables} + ''; }; } diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 9a6c7d1782572..ca402e709260e 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -475,7 +475,7 @@ let # Session management. ${optionalString cfg.setEnvironment '' - session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0 + session required pam_env.so conffile=/etc/pam/environment readenv=0 ''} session required pam_unix.so ${optionalString cfg.setLoginUid diff --git a/nixos/modules/services/wayland/cage.nix b/nixos/modules/services/wayland/cage.nix index 2e71abb69fc44..bd97a674eb86a 100644 --- a/nixos/modules/services/wayland/cage.nix +++ b/nixos/modules/services/wayland/cage.nix @@ -82,7 +82,7 @@ in { auth required pam_unix.so nullok account required pam_unix.so session required pam_unix.so - session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0 + session required pam_env.so conffile=/etc/pam/environment readenv=0 session required ${pkgs.systemd}/lib/security/pam_systemd.so ''; diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index ef9ec438cc1c5..7d5edc222571a 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -309,7 +309,7 @@ in password required pam_deny.so session required pam_succeed_if.so audit quiet_success user = gdm - session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0 + session required pam_env.so conffile=/etc/pam/environment readenv=0 session optional ${pkgs.systemd}/lib/security/pam_systemd.so session optional pam_keyinit.so force revoke session optional pam_permit.so diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix index 945222296fa6b..41c1b635f5d6a 100644 --- a/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixos/modules/services/x11/display-managers/lightdm.nix @@ -284,7 +284,7 @@ in password required pam_deny.so session required pam_succeed_if.so audit quiet_success user = lightdm - session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0 + session required pam_env.so conffile=/etc/pam/environment readenv=0 session optional ${pkgs.systemd}/lib/security/pam_systemd.so session optional pam_keyinit.so force revoke session optional pam_permit.so diff --git a/nixos/modules/services/x11/display-managers/sddm.nix b/nixos/modules/services/x11/display-managers/sddm.nix index 116994db1c140..d79b3cda2fcc5 100644 --- a/nixos/modules/services/x11/display-managers/sddm.nix +++ b/nixos/modules/services/x11/display-managers/sddm.nix @@ -229,7 +229,7 @@ in password required pam_deny.so session required pam_succeed_if.so audit quiet_success user = sddm - session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0 + session required pam_env.so conffile=/etc/pam/environment readenv=0 session optional ${pkgs.systemd}/lib/security/pam_systemd.so session optional pam_keyinit.so force revoke session optional pam_permit.so |