mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-09-21 12:38:41 +03:00
Merge pull request #133014 from Mic92/fix-pam
nixos: reduce pam files rebuilds on updates
This commit is contained in:
commit
9b962429be
@ -65,42 +65,40 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
|
environment.etc."pam/environment".text = let
|
||||||
|
suffixedVariables =
|
||||||
|
flip mapAttrs cfg.profileRelativeSessionVariables (envVar: suffixes:
|
||||||
|
flip concatMap cfg.profiles (profile:
|
||||||
|
map (suffix: "${profile}${suffix}") suffixes
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
system.build.pamEnvironment =
|
# We're trying to use the same syntax for PAM variables and env variables.
|
||||||
let
|
# That means we need to map the env variables that people might use to their
|
||||||
suffixedVariables =
|
# equivalent PAM variable.
|
||||||
flip mapAttrs cfg.profileRelativeSessionVariables (envVar: suffixes:
|
replaceEnvVars = replaceStrings ["$HOME" "$USER"] ["@{HOME}" "@{PAM_USER}"];
|
||||||
flip concatMap cfg.profiles (profile:
|
|
||||||
map (suffix: "${profile}${suffix}") suffixes
|
|
||||||
)
|
|
||||||
);
|
|
||||||
|
|
||||||
# We're trying to use the same syntax for PAM variables and env variables.
|
pamVariable = n: v:
|
||||||
# That means we need to map the env variables that people might use to their
|
''${n} DEFAULT="${concatStringsSep ":" (map replaceEnvVars (toList v))}"'';
|
||||||
# equivalent PAM variable.
|
|
||||||
replaceEnvVars = replaceStrings ["$HOME" "$USER"] ["@{HOME}" "@{PAM_USER}"];
|
|
||||||
|
|
||||||
pamVariable = n: v:
|
pamVariables =
|
||||||
''${n} DEFAULT="${concatStringsSep ":" (map replaceEnvVars (toList v))}"'';
|
concatStringsSep "\n"
|
||||||
|
(mapAttrsToList pamVariable
|
||||||
pamVariables =
|
(zipAttrsWith (n: concatLists)
|
||||||
concatStringsSep "\n"
|
[
|
||||||
(mapAttrsToList pamVariable
|
# Make sure security wrappers are prioritized without polluting
|
||||||
(zipAttrsWith (n: concatLists)
|
# shell environments with an extra entry. Sessions which depend on
|
||||||
[
|
# pam for its environment will otherwise have eg. broken sudo. In
|
||||||
# Make sure security wrappers are prioritized without polluting
|
# particular Gnome Shell sometimes fails to source a proper
|
||||||
# shell environments with an extra entry. Sessions which depend on
|
# environment from a shell.
|
||||||
# pam for its environment will otherwise have eg. broken sudo. In
|
{ PATH = [ config.security.wrapperDir ]; }
|
||||||
# particular Gnome Shell sometimes fails to source a proper
|
|
||||||
# environment from a shell.
|
|
||||||
{ PATH = [ config.security.wrapperDir ]; }
|
|
||||||
|
|
||||||
(mapAttrs (n: toList) cfg.sessionVariables)
|
|
||||||
suffixedVariables
|
|
||||||
]));
|
|
||||||
in
|
|
||||||
pkgs.writeText "pam-environment" "${pamVariables}\n";
|
|
||||||
|
|
||||||
|
(mapAttrs (n: toList) cfg.sessionVariables)
|
||||||
|
suffixedVariables
|
||||||
|
]));
|
||||||
|
in ''
|
||||||
|
${pamVariables}
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -475,7 +475,7 @@ let
|
|||||||
|
|
||||||
# Session management.
|
# Session management.
|
||||||
${optionalString cfg.setEnvironment ''
|
${optionalString cfg.setEnvironment ''
|
||||||
session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0
|
session required pam_env.so conffile=/etc/pam/environment readenv=0
|
||||||
''}
|
''}
|
||||||
session required pam_unix.so
|
session required pam_unix.so
|
||||||
${optionalString cfg.setLoginUid
|
${optionalString cfg.setLoginUid
|
||||||
|
@ -82,7 +82,7 @@ in {
|
|||||||
auth required pam_unix.so nullok
|
auth required pam_unix.so nullok
|
||||||
account required pam_unix.so
|
account required pam_unix.so
|
||||||
session required pam_unix.so
|
session required pam_unix.so
|
||||||
session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0
|
session required pam_env.so conffile=/etc/pam/environment readenv=0
|
||||||
session required ${pkgs.systemd}/lib/security/pam_systemd.so
|
session required ${pkgs.systemd}/lib/security/pam_systemd.so
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
@ -314,7 +314,7 @@ in
|
|||||||
password required pam_deny.so
|
password required pam_deny.so
|
||||||
|
|
||||||
session required pam_succeed_if.so audit quiet_success user = gdm
|
session required pam_succeed_if.so audit quiet_success user = gdm
|
||||||
session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0
|
session required pam_env.so conffile=/etc/pam/environment readenv=0
|
||||||
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
|
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
|
||||||
session optional pam_keyinit.so force revoke
|
session optional pam_keyinit.so force revoke
|
||||||
session optional pam_permit.so
|
session optional pam_permit.so
|
||||||
|
@ -284,7 +284,7 @@ in
|
|||||||
password required pam_deny.so
|
password required pam_deny.so
|
||||||
|
|
||||||
session required pam_succeed_if.so audit quiet_success user = lightdm
|
session required pam_succeed_if.so audit quiet_success user = lightdm
|
||||||
session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0
|
session required pam_env.so conffile=/etc/pam/environment readenv=0
|
||||||
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
|
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
|
||||||
session optional pam_keyinit.so force revoke
|
session optional pam_keyinit.so force revoke
|
||||||
session optional pam_permit.so
|
session optional pam_permit.so
|
||||||
|
@ -229,7 +229,7 @@ in
|
|||||||
password required pam_deny.so
|
password required pam_deny.so
|
||||||
|
|
||||||
session required pam_succeed_if.so audit quiet_success user = sddm
|
session required pam_succeed_if.so audit quiet_success user = sddm
|
||||||
session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0
|
session required pam_env.so conffile=/etc/pam/environment readenv=0
|
||||||
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
|
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
|
||||||
session optional pam_keyinit.so force revoke
|
session optional pam_keyinit.so force revoke
|
||||||
session optional pam_permit.so
|
session optional pam_permit.so
|
||||||
|
Loading…
Reference in New Issue
Block a user