diff --git a/etc/default.nix b/etc/default.nix index cbcb094a0528..fad75ccbf31f 100644 --- a/etc/default.nix +++ b/etc/default.nix @@ -37,59 +37,6 @@ in let optional = pkgs.lib.optional; - - # !!! ugh, these files shouldn't be created here. - pamConsoleHandlers = pkgs.writeText "console.handlers" '' - console consoledevs /dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9] - ${pkgs.pam_console}/sbin/pam_console_apply lock logfail wait -t tty -s -c ${pamConsolePerms} - ${pkgs.pam_console}/sbin/pam_console_apply unlock logfail wait -r -t tty -s -c ${pamConsolePerms} - ''; - - pamConsolePerms = ./security/console.perms; - - configFiles = - - # A bunch of PAM configuration files for various programs. - (map - (program: - let isLDAPEnabled = config.users.ldap.enable; in - { source = pkgs.substituteAll { - src = ./pam.d + ("/" + program); - inherit (pkgs) pam_unix2 pam_console; - pam_ldap = - if isLDAPEnabled - then pkgs.pam_ldap - else "/no-such-path"; - inherit (pkgs.xorg) xauth; - inherit pamConsoleHandlers; - isLDAPEnabled = if isLDAPEnabled then "" else "#"; - syncSambaPasswords = if config.services.samba.syncPasswordsByPam - then "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass" - else "# change samba configuration options to make passwd sync the samba auth database as well here.."; - }; - target = "pam.d/" + program; - } - ) - [ - "login" - "su" - "other" - "passwd" - "shadow" - "sshd" - "lshd" - "useradd" - "chsh" - "xlock" - "samba" - "cups" - "ftp" - "ejabberd" - "common" - "common-console" # shared stuff for interactive local sessions - ] - ); - in let @@ -109,7 +56,7 @@ let makeEtc = import ../helpers/make-etc.nix { inherit (pkgs) stdenv; - configFiles = configFiles ++ config.environment.etc; + configFiles = config.environment.etc; }; in diff --git a/modules/module-list.nix b/modules/module-list.nix index 2f72d14d2b73..a6843e097029 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -13,6 +13,7 @@ ./programs/pwdutils/pwdutils.nix ./programs/ssh.nix ./programs/ssmtp.nix + ./security/pam.nix ./security/setuid-wrappers.nix ./security/sudo.nix ./services/audio/alsa.nix diff --git a/etc/security/console.perms b/modules/security/console.perms similarity index 100% rename from etc/security/console.perms rename to modules/security/console.perms diff --git a/etc/pam.d/chsh b/modules/security/pam.d/chsh similarity index 100% rename from etc/pam.d/chsh rename to modules/security/pam.d/chsh diff --git a/etc/pam.d/common b/modules/security/pam.d/common similarity index 100% rename from etc/pam.d/common rename to modules/security/pam.d/common diff --git a/etc/pam.d/common-console b/modules/security/pam.d/common-console similarity index 100% rename from etc/pam.d/common-console rename to modules/security/pam.d/common-console diff --git a/etc/pam.d/cups b/modules/security/pam.d/cups similarity index 100% rename from etc/pam.d/cups rename to modules/security/pam.d/cups diff --git a/etc/pam.d/ejabberd b/modules/security/pam.d/ejabberd similarity index 100% rename from etc/pam.d/ejabberd rename to modules/security/pam.d/ejabberd diff --git a/etc/pam.d/ftp b/modules/security/pam.d/ftp similarity index 100% rename from etc/pam.d/ftp rename to modules/security/pam.d/ftp diff --git a/etc/pam.d/login b/modules/security/pam.d/login similarity index 100% rename from etc/pam.d/login rename to modules/security/pam.d/login diff --git a/etc/pam.d/lshd b/modules/security/pam.d/lshd similarity index 100% rename from etc/pam.d/lshd rename to modules/security/pam.d/lshd diff --git a/etc/pam.d/other b/modules/security/pam.d/other similarity index 100% rename from etc/pam.d/other rename to modules/security/pam.d/other diff --git a/etc/pam.d/passwd b/modules/security/pam.d/passwd similarity index 100% rename from etc/pam.d/passwd rename to modules/security/pam.d/passwd diff --git a/etc/pam.d/samba b/modules/security/pam.d/samba similarity index 100% rename from etc/pam.d/samba rename to modules/security/pam.d/samba diff --git a/etc/pam.d/shadow b/modules/security/pam.d/shadow similarity index 100% rename from etc/pam.d/shadow rename to modules/security/pam.d/shadow diff --git a/etc/pam.d/sshd b/modules/security/pam.d/sshd similarity index 100% rename from etc/pam.d/sshd rename to modules/security/pam.d/sshd diff --git a/etc/pam.d/su b/modules/security/pam.d/su similarity index 100% rename from etc/pam.d/su rename to modules/security/pam.d/su diff --git a/etc/pam.d/useradd b/modules/security/pam.d/useradd similarity index 100% rename from etc/pam.d/useradd rename to modules/security/pam.d/useradd diff --git a/etc/pam.d/xlock b/modules/security/pam.d/xlock similarity index 100% rename from etc/pam.d/xlock rename to modules/security/pam.d/xlock diff --git a/modules/security/pam.nix b/modules/security/pam.nix new file mode 100644 index 000000000000..8ac6fddcc639 --- /dev/null +++ b/modules/security/pam.nix @@ -0,0 +1,57 @@ +# This module provides configuration for the PAM (Pluggable +# Authentication Modules) system. + +{config, pkgs, ...}: + +let + + # !!! ugh, these files shouldn't be created here. + pamConsoleHandlers = pkgs.writeText "console.handlers" '' + console consoledevs /dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9] + ${pkgs.pam_console}/sbin/pam_console_apply lock logfail wait -t tty -s -c ${pamConsolePerms} + ${pkgs.pam_console}/sbin/pam_console_apply unlock logfail wait -r -t tty -s -c ${pamConsolePerms} + ''; + + pamConsolePerms = ./console.perms; + + generatePAMConfig = program: + let isLDAPEnabled = config.users.ldap.enable; in + { source = pkgs.substituteAll { + src = ./pam.d + ("/" + program); + inherit (pkgs) pam_unix2 pam_console; + pam_ldap = + if isLDAPEnabled + then pkgs.pam_ldap + else "/no-such-path"; + inherit (pkgs.xorg) xauth; + inherit pamConsoleHandlers; + isLDAPEnabled = if isLDAPEnabled then "" else "#"; + syncSambaPasswords = if config.services.samba.syncPasswordsByPam + then "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass" + else "# change samba configuration options to make passwd sync the samba auth database as well here.."; + }; + target = "pam.d/" + program; + }; + +in + +{ + environment.etc = map generatePAMConfig + [ "login" + "su" + "other" + "passwd" + "shadow" + "sshd" + "lshd" + "useradd" + "chsh" + "xlock" + "samba" + "cups" + "ftp" + "ejabberd" + "common" + "common-console" # shared stuff for interactive local sessions + ]; +}