nixos/modules/security/pam: add pam_sduserdb support

2022-07-10 16:45:13 +00:00 · 2022-07-10 16:45:13 +00:00 · 6c07a56a9f
parent 880556c549
commit 6c07a56a9f
1 changed files with 29 additions and 1 deletions
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -27,6 +27,15 @@ let
        '';
      };

+      use_userdb = mkOption {
+        default = config.security.pam.userdb.enable;
+        defaultText = literalExpression "config.security.pam.userdb.enable";
+        type = types.bool;
+        description = ''
+          Allow login using accounts defined in the systemd user database
+        '';
+      };
+
      rootOK = mkOption {
        default = false;
        type = types.bool;
@ -479,6 +488,11 @@ let
          ''
            # Account management.
          '' +
+          optionalString cfg.use_userdb ''
+            account sufficient ${pkgs.pam_sduserdb}/lib/security/pam_sduserdb.so
+          '' + ''
+            account required pam_unix.so
+          '' +
          optionalString use_ldap ''
            account sufficient ${pam_ldap}/lib/security/pam_ldap.so
          '' +
@ -945,6 +959,17 @@ in
      };
    };

+    security.pam.userdb = {
+      enable = mkOption {
+        default = false;
+        type = types.bool;
+        description = ''
+          Enable login using accounts defined in the systemd user database
+        '';
+      };
+
+    };
+
    security.pam.p11 = {
      enable = mkOption {
        default = false;
@ -1468,6 +1493,9 @@ in
      optionalString config.services.homed.enable ''
        mr ${config.systemd.package}/lib/security/pam_systemd_home.so
      '';
-  };

+    services.userdbd = mkIf config.security.pam.userdb.enable {
+      enable = true;
+    };
+  };
 }