diff options
author | edef <edef@edef.eu> | 2017-10-07 17:27:46 +0200 |
---|---|---|
committer | obadz <obadz-git@obadz.com> | 2017-10-20 17:42:04 +0100 |
commit | ea35bc94bf0efd28e39cf4e8212f7df5b6e78aba (patch) | |
tree | 1eebdaa574d935def3e7f988271d0af44df7ba9b /nixos | |
parent | 7867b508817f1acfe3a524ed93ac83cb45e87720 (diff) |
nixos/ecryptfs: init
Currently, ecryptfs support is coupled to `security.pam.enableEcryptfs`, but one might want to use ecryptfs without enabling the PAM functionality. This commit splits it out into a `boot.supportedFilesystems` switch.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/security/pam.nix | 10 | ||||
-rw-r--r-- | nixos/modules/tasks/filesystems/ecryptfs.nix | 14 |
3 files changed, 19 insertions, 6 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index e67e6ae32b9a7..6f00a97dd3ff5 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -696,6 +696,7 @@ ./tasks/filesystems/bcachefs.nix ./tasks/filesystems/btrfs.nix ./tasks/filesystems/cifs.nix + ./tasks/filesystems/ecryptfs.nix ./tasks/filesystems/exfat.nix ./tasks/filesystems/ext.nix ./tasks/filesystems/f2fs.nix diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 1e8ca4f902230..5ded36329f333 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -486,8 +486,9 @@ in ++ optionals config.krb5.enable [pam_krb5 pam_ccreds] ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ] ++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ] - ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ] - ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ]; + ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]; + + boot.supportedFilesystems = optionals config.security.pam.enableEcryptfs [ "ecryptfs" ]; security.wrappers = { unix_chkpwd = { @@ -495,10 +496,7 @@ in owner = "root"; setuid = true; }; - } // (if config.security.pam.enableEcryptfs then { - "mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private"; - "umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private"; - } else {}); + }; environment.etc = mapAttrsToList (n: v: makePAMService v) config.security.pam.services; diff --git a/nixos/modules/tasks/filesystems/ecryptfs.nix b/nixos/modules/tasks/filesystems/ecryptfs.nix new file mode 100644 index 0000000000000..12a407cabbfb0 --- /dev/null +++ b/nixos/modules/tasks/filesystems/ecryptfs.nix @@ -0,0 +1,14 @@ +{ config, lib, pkgs, ... }: +# TODO: make ecryptfs work in initramfs? + +with lib; + +{ + config = mkIf (any (fs: fs == "ecryptfs") config.boot.supportedFilesystems) { + system.fsPackages = [ pkgs.ecryptfs ]; + security.wrappers = { + "mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private"; + "umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private"; + }; + }; +} |