JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nixos/ecryptfs: init

Browse Source 
Currently, ecryptfs support is coupled to `security.pam.enableEcryptfs`, but one
might want to use ecryptfs without enabling the PAM functionality. This commit
splits it out into a `boot.supportedFilesystems` switch.
This commit is contained in:
edef 2017-10-07 17:27:46 +02:00 committed by obadz
parent 7867b50881
commit ea35bc94bf
3 changed files with 19 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
nixos/modules/module-list.nix
View File

@ -696,6 +696,7 @@
./tasks/filesystems/bcachefs.nix
./tasks/filesystems/btrfs.nix
./tasks/filesystems/cifs.nix
./tasks/filesystems/ecryptfs.nix
./tasks/filesystems/exfat.nix
./tasks/filesystems/ext.nix
./tasks/filesystems/f2fs.nix

10
nixos/modules/security/pam.nix
View File

@ -486,8 +486,9 @@ in
++ optionals config.krb5.enable [pam_krb5 pam_ccreds]
++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]
++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ]
++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]
++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];
++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ];
boot.supportedFilesystems = optionals config.security.pam.enableEcryptfs [ "ecryptfs" ];
security.wrappers = {
unix_chkpwd = {
@ -495,10 +496,7 @@ in
owner = "root";
setuid = true;
};
} // (if config.security.pam.enableEcryptfs then {
"mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
"umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
} else {});
};
environment.etc =
mapAttrsToList (n: v: makePAMService v) config.security.pam.services;

14
nixos/modules/tasks/filesystems/ecryptfs.nix Normal file
View File

@ -0,0 +1,14 @@
{ config, lib, pkgs, ... }:
# TODO: make ecryptfs work in initramfs?
with lib;
{
config = mkIf (any (fs: fs == "ecryptfs") config.boot.supportedFilesystems) {
system.fsPackages = [ pkgs.ecryptfs ];
security.wrappers = {
"mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
"umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
};
};
}