* Move PAM configuration to modules/security/pam.nix.
svn path=/nixos/branches/modular-nixos/; revision=15766
This commit is contained in:
parent
de7aae5d5e
commit
14f1c81822
@ -37,59 +37,6 @@ in
|
||||
let
|
||||
optional = pkgs.lib.optional;
|
||||
|
||||
|
||||
# !!! ugh, these files shouldn't be created here.
|
||||
pamConsoleHandlers = pkgs.writeText "console.handlers" ''
|
||||
console consoledevs /dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
|
||||
${pkgs.pam_console}/sbin/pam_console_apply lock logfail wait -t tty -s -c ${pamConsolePerms}
|
||||
${pkgs.pam_console}/sbin/pam_console_apply unlock logfail wait -r -t tty -s -c ${pamConsolePerms}
|
||||
'';
|
||||
|
||||
pamConsolePerms = ./security/console.perms;
|
||||
|
||||
configFiles =
|
||||
|
||||
# A bunch of PAM configuration files for various programs.
|
||||
(map
|
||||
(program:
|
||||
let isLDAPEnabled = config.users.ldap.enable; in
|
||||
{ source = pkgs.substituteAll {
|
||||
src = ./pam.d + ("/" + program);
|
||||
inherit (pkgs) pam_unix2 pam_console;
|
||||
pam_ldap =
|
||||
if isLDAPEnabled
|
||||
then pkgs.pam_ldap
|
||||
else "/no-such-path";
|
||||
inherit (pkgs.xorg) xauth;
|
||||
inherit pamConsoleHandlers;
|
||||
isLDAPEnabled = if isLDAPEnabled then "" else "#";
|
||||
syncSambaPasswords = if config.services.samba.syncPasswordsByPam
|
||||
then "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"
|
||||
else "# change samba configuration options to make passwd sync the samba auth database as well here..";
|
||||
};
|
||||
target = "pam.d/" + program;
|
||||
}
|
||||
)
|
||||
[
|
||||
"login"
|
||||
"su"
|
||||
"other"
|
||||
"passwd"
|
||||
"shadow"
|
||||
"sshd"
|
||||
"lshd"
|
||||
"useradd"
|
||||
"chsh"
|
||||
"xlock"
|
||||
"samba"
|
||||
"cups"
|
||||
"ftp"
|
||||
"ejabberd"
|
||||
"common"
|
||||
"common-console" # shared stuff for interactive local sessions
|
||||
]
|
||||
);
|
||||
|
||||
in
|
||||
|
||||
let
|
||||
@ -109,7 +56,7 @@ let
|
||||
|
||||
makeEtc = import ../helpers/make-etc.nix {
|
||||
inherit (pkgs) stdenv;
|
||||
configFiles = configFiles ++ config.environment.etc;
|
||||
configFiles = config.environment.etc;
|
||||
};
|
||||
in
|
||||
|
||||
|
@ -13,6 +13,7 @@
|
||||
./programs/pwdutils/pwdutils.nix
|
||||
./programs/ssh.nix
|
||||
./programs/ssmtp.nix
|
||||
./security/pam.nix
|
||||
./security/setuid-wrappers.nix
|
||||
./security/sudo.nix
|
||||
./services/audio/alsa.nix
|
||||
|
57
modules/security/pam.nix
Normal file
57
modules/security/pam.nix
Normal file
@ -0,0 +1,57 @@
|
||||
# This module provides configuration for the PAM (Pluggable
|
||||
# Authentication Modules) system.
|
||||
|
||||
{config, pkgs, ...}:
|
||||
|
||||
let
|
||||
|
||||
# !!! ugh, these files shouldn't be created here.
|
||||
pamConsoleHandlers = pkgs.writeText "console.handlers" ''
|
||||
console consoledevs /dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
|
||||
${pkgs.pam_console}/sbin/pam_console_apply lock logfail wait -t tty -s -c ${pamConsolePerms}
|
||||
${pkgs.pam_console}/sbin/pam_console_apply unlock logfail wait -r -t tty -s -c ${pamConsolePerms}
|
||||
'';
|
||||
|
||||
pamConsolePerms = ./console.perms;
|
||||
|
||||
generatePAMConfig = program:
|
||||
let isLDAPEnabled = config.users.ldap.enable; in
|
||||
{ source = pkgs.substituteAll {
|
||||
src = ./pam.d + ("/" + program);
|
||||
inherit (pkgs) pam_unix2 pam_console;
|
||||
pam_ldap =
|
||||
if isLDAPEnabled
|
||||
then pkgs.pam_ldap
|
||||
else "/no-such-path";
|
||||
inherit (pkgs.xorg) xauth;
|
||||
inherit pamConsoleHandlers;
|
||||
isLDAPEnabled = if isLDAPEnabled then "" else "#";
|
||||
syncSambaPasswords = if config.services.samba.syncPasswordsByPam
|
||||
then "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"
|
||||
else "# change samba configuration options to make passwd sync the samba auth database as well here..";
|
||||
};
|
||||
target = "pam.d/" + program;
|
||||
};
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
environment.etc = map generatePAMConfig
|
||||
[ "login"
|
||||
"su"
|
||||
"other"
|
||||
"passwd"
|
||||
"shadow"
|
||||
"sshd"
|
||||
"lshd"
|
||||
"useradd"
|
||||
"chsh"
|
||||
"xlock"
|
||||
"samba"
|
||||
"cups"
|
||||
"ftp"
|
||||
"ejabberd"
|
||||
"common"
|
||||
"common-console" # shared stuff for interactive local sessions
|
||||
];
|
||||
}
|
Loading…
Reference in New Issue
Block a user