diff options
Diffstat (limited to 'nixos/modules/security')
-rw-r--r-- | nixos/modules/security/duosec.nix | 28 | ||||
-rw-r--r-- | nixos/modules/security/pam.nix | 9 | ||||
-rw-r--r-- | nixos/modules/security/pam_mount.nix | 5 | ||||
-rw-r--r-- | nixos/modules/security/rtkit.nix | 5 | ||||
-rw-r--r-- | nixos/modules/security/sudo.nix | 3 |
5 files changed, 24 insertions, 26 deletions
diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index 997328ad9e6ab..78a82b7154e75 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -25,19 +25,21 @@ let accept_env_factor=${boolToStr cfg.acceptEnvFactor} ''; - loginCfgFile = optional cfg.ssh.enable - { source = pkgs.writeText "login_duo.conf" configFileLogin; - mode = "0600"; - user = "sshd"; - target = "duo/login_duo.conf"; - }; + loginCfgFile = optionalAttrs cfg.ssh.enable { + "duo/login_duo.conf" = + { source = pkgs.writeText "login_duo.conf" configFileLogin; + mode = "0600"; + user = "sshd"; + }; + }; - pamCfgFile = optional cfg.pam.enable - { source = pkgs.writeText "pam_duo.conf" configFilePam; - mode = "0600"; - user = "sshd"; - target = "duo/pam_duo.conf"; - }; + pamCfgFile = optional cfg.pam.enable { + "duo/pam_duo.conf" = + { source = pkgs.writeText "pam_duo.conf" configFilePam; + mode = "0600"; + user = "sshd"; + }; + }; in { options = { @@ -186,7 +188,7 @@ in environment.systemPackages = [ pkgs.duo-unix ]; security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo"; - environment.etc = loginCfgFile ++ pamCfgFile; + environment.etc = loginCfgFile // pamCfgFile; /* If PAM *and* SSH are enabled, then don't do anything special. If PAM isn't used, set the default SSH-only options. */ diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 0adc27c47f021..ee37c18d980da 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -475,9 +475,9 @@ let motd = pkgs.writeText "motd" config.users.motd; - makePAMService = pamService: - { source = pkgs.writeText "${pamService.name}.pam" pamService.text; - target = "pam.d/${pamService.name}"; + makePAMService = name: service: + { name = "pam.d/${name}"; + value.source = pkgs.writeText "${name}.pam" service.text; }; in @@ -760,8 +760,7 @@ in }; }; - environment.etc = - mapAttrsToList (n: v: makePAMService v) config.security.pam.services; + environment.etc = mapAttrs' makePAMService config.security.pam.services; security.pam.services = { other.text = diff --git a/nixos/modules/security/pam_mount.nix b/nixos/modules/security/pam_mount.nix index 75f58462d13d3..77e22a96b553c 100644 --- a/nixos/modules/security/pam_mount.nix +++ b/nixos/modules/security/pam_mount.nix @@ -36,8 +36,7 @@ in config = mkIf (cfg.enable || anyPamMount) { environment.systemPackages = [ pkgs.pam_mount ]; - environment.etc = [{ - target = "security/pam_mount.conf.xml"; + environment.etc."security/pam_mount.conf.xml" = { source = let extraUserVolumes = filterAttrs (n: u: u.cryptHomeLuks != null) config.users.users; @@ -66,7 +65,7 @@ in ${concatStringsSep "\n" cfg.extraVolumes} </pam_mount> ''; - }]; + }; }; } diff --git a/nixos/modules/security/rtkit.nix b/nixos/modules/security/rtkit.nix index f6dda21c60064..a7b27cbcf215d 100644 --- a/nixos/modules/security/rtkit.nix +++ b/nixos/modules/security/rtkit.nix @@ -34,9 +34,8 @@ with lib; services.dbus.packages = [ pkgs.rtkit ]; - users.users = singleton - { name = "rtkit"; - uid = config.ids.uids.rtkit; + users.users.rtkit = + { uid = config.ids.uids.rtkit; description = "RealtimeKit daemon"; }; diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index 10ee036be84eb..d899806ef058f 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -212,7 +212,7 @@ in security.pam.services.sudo = { sshAgentAuth = true; }; - environment.etc = singleton + environment.etc.sudoers = { source = pkgs.runCommand "sudoers" { @@ -222,7 +222,6 @@ in # Make sure that the sudoers file is syntactically valid. # (currently disabled - NIXOS-66) "${pkgs.buildPackages.sudo}/sbin/visudo -f $src -c && cp $src $out"; - target = "sudoers"; mode = "0440"; }; |