ilyakooo0/nixpkgs
1
0
Fork 0
mirror of https://github.com/ilyakooo0/nixpkgs.git synced 2024-09-21 04:28:40 +03:00
Code Issues Projects Releases Wiki Activity

nixos/pam: clean up rules

Browse Source 
Makes the rules more uniform in structure and style. This makes it
easier to automate subsequent commits. No behavior changes.
This commit is contained in:
Majiir Paktu 2023-09-24 15:39:21 -04:00
parent 0ca24a8dbe
commit dd458977a0
1 changed files with 16 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
nixos/modules/security/pam.nix
View File

@ -484,14 +484,11 @@ let
optionalString cfg.mysqlAuth ''
account sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
'' +
optionalString (config.services.kanidm.enablePam) ''
optionalString config.services.kanidm.enablePam ''
account sufficient ${pkgs.kanidm}/lib/pam_kanidm.so ignore_unknown_user
'' +
optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) ''
account sufficient ${pkgs.sssd}/lib/security/pam_sss.so
'' +
optionalString (config.services.sssd.enable && cfg.sssdStrictAccess) ''
account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so
optionalString config.services.sssd.enable ''
account ${if cfg.sssdStrictAccess then "[default=bad success=ok user_unknown=ignore]" else "sufficient"} ${pkgs.sssd}/lib/security/pam_sss.so
'' +
optionalString config.security.pam.krb5.enable ''
account sufficient ${pam_krb5}/lib/security/pam_krb5.so
@ -532,10 +529,9 @@ let
(let p11 = config.security.pam.p11; in optionalString cfg.p11Auth ''
auth ${p11.control} ${pkgs.pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so
'') +
(let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth (''
auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ''
+ ''${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"} ${optionalString (u2f.appId != null) "appid=${u2f.appId}"} ${optionalString (u2f.origin != null) "origin=${u2f.origin}"}
'')) +
(let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth ''
auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"} ${optionalString (u2f.appId != null) "appid=${u2f.appId}"} ${optionalString (u2f.origin != null) "origin=${u2f.origin}"}
'') +
optionalString cfg.usbAuth ''
auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so
'' +
@ -593,13 +589,13 @@ let
auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive
'' +
optionalString cfg.enableKwallet ''
auth optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5
auth optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5
'' +
optionalString cfg.enableGnomeKeyring ''
auth optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so
'' +
optionalString cfg.gnupg.enable ''
auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.storeOnly " store-only"}
auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.storeOnly "store-only"}
'' +
optionalString cfg.failDelay.enable ''
auth optional ${pkgs.pam}/lib/security/pam_faildelay.so delay=${toString cfg.failDelay.delay}
@ -641,7 +637,8 @@ let
'' +
optionalString config.services.homed.enable ''
password sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so
'' + ''
'' +
''
password sufficient pam_unix.so nullok yescrypt
'' +
optionalString config.security.pam.enableEcryptfs ''
@ -687,12 +684,9 @@ let
optionalString cfg.setLoginUid ''
session ${if config.boot.isContainer then "optional" else "required"} pam_loginuid.so
'' +
optionalString cfg.ttyAudit.enable (concatStringsSep " \\\n " ([
"session required ${pkgs.pam}/lib/security/pam_tty_audit.so"
] ++ optional cfg.ttyAudit.openOnly "open_only"
++ optional (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}"
++ optional (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}"
)) +
optionalString cfg.ttyAudit.enable ''
session required ${pkgs.pam}/lib/security/pam_tty_audit.so ${optionalString cfg.ttyAudit.openOnly "open_only"} ${optionalString (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}"} ${optionalString (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}"}
'' +
optionalString config.services.homed.enable ''
session required ${config.systemd.package}/lib/security/pam_systemd_home.so
'' +
@ -753,16 +747,16 @@ let
optionalString (cfg.enableAppArmor && config.security.apparmor.enable) ''
session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug
'' +
optionalString (cfg.enableKwallet) ''
optionalString cfg.enableKwallet ''
session optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5
'' +
optionalString (cfg.enableGnomeKeyring) ''
optionalString cfg.enableGnomeKeyring ''
session optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start
'' +
optionalString cfg.gnupg.enable ''
session optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.noAutostart " no-autostart"}
'' +
optionalString (config.virtualisation.lxc.lxcfs.enable) ''
optionalString config.virtualisation.lxc.lxcfs.enable ''
session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all
''
);