Unverified Commit 317c972e authored by Ryan Hendrickson's avatar Ryan Hendrickson Committed by GitHub
Browse files

nixos/pam: conditional enabling of services (#399051)

parents 50923ed3 2ef16553

nixos/doc/manual/release-notes/rl-2505.section.md

+2 −0
Original line number Diff line number Diff line
@@ -448,6 +448,8 @@ 
  - Overriding Wayland compositor is possible using `waylandSessionCompositor` option, but you might need to take care [`xfce4-session`](https://gitlab.xfce.org/xfce/xfce4-session/-/merge_requests/49), [`dbus-update-activation-environment`](https://github.com/labwc/labwc/blob/eaf11face68ee1f1bcc7ce1498304ca8c108c8ba/src/config/session.c#L234) and [`systemctl --user import-environment`](https://github.com/labwc/labwc/blob/eaf11face68ee1f1bcc7ce1498304ca8c108c8ba/src/config/session.c#L239) on startup.

  - For new Xfce installations, default panel layout has [changed](https://gitlab.xfce.org/xfce/xfce4-panel/-/merge_requests/158/diffs) to not include external panel plugins by default. You can still add them yourself using the "Panel Preferences" dialog.



- PAM services for `i3lock`/`i3lock-color`, `vlock`, `xlock`, and `xscreensaver` now default to disabled unless other corresponding NixOS options are set (`programs.i3lock.enable`, `console.enable`, `services.xserver.enable`, and `services.xscreensaver.enable`, respectively). If for some reason you want one of them back without setting the corresponding option, set, e.g., `security.pam.services.xlock.enable = true`.



- [`system.stateVersion`](#opt-system.stateVersion) is now validated and must be in the `"YY.MM"` format, ideally corresponding to a prior NixOS release.



- `services.mysql` now supports easy cluster setup via [`services.mysql.galeraCluster`](#opt-services.mysql.galeraCluster.enable) option.

nixos/modules/security/pam.nix

+15 −8
Original line number Diff line number Diff line
@@ -145,6 +145,11 @@ let 
          description = "Name of the PAM service.";

        };



        enable = lib.mkEnableOption "this PAM service" // {

          default = true;

          example = false;

        };



        rules = lib.mkOption {

          # This option is experimental and subject to breaking changes without notice.

          visible = false;
@@ -1566,6 +1571,8 @@ let 
        Defaults env_keep+=SSH_AUTH_SOCK

      '';



  enabledServices = lib.filterAttrs (name: svc: svc.enable) config.security.pam.services;



in



{
@@ -2282,7 +2289,7 @@ in 
      };

    };



    environment.etc = lib.mapAttrs' makePAMService config.security.pam.services;

    environment.etc = lib.mapAttrs' makePAMService enabledServices;



    security.pam.services =

      {
@@ -2298,11 +2305,11 @@ in 
        '';



        # Most of these should be moved to specific modules.

        i3lock = { };

        i3lock-color = { };

        vlock = { };

        xlock = { };

        xscreensaver = { };

        i3lock.enable = lib.mkDefault config.programs.i3lock.enable;

        i3lock-color.enable = lib.mkDefault config.programs.i3lock.enable;

        vlock.enable = lib.mkDefault config.console.enable;

        xlock.enable = lib.mkDefault config.services.xserver.enable;

        xscreensaver.enable = lib.mkDefault config.services.xscreensaver.enable;



        runuser = {

          rootOK = true;
@@ -2327,11 +2334,11 @@ in 


    security.apparmor.includes."abstractions/pam" =

      lib.concatMapStrings (name: "r ${config.environment.etc."pam.d/${name}".source},\n") (

        lib.attrNames config.security.pam.services

        lib.attrNames enabledServices

      )

      + (

        with lib;

        pipe config.security.pam.services [

        pipe enabledServices [

          lib.attrValues

          (catAttrs "rules")

          (lib.concatMap lib.attrValues)

nixos/modules/security/pam_mount.nix

+1 −1
Original line number Diff line number Diff line
@@ -15,7 +15,7 @@ let 
    ${pkgs.lsof}/bin/lsof | ${pkgs.gnugrep}/bin/grep $MNTPT | ${pkgs.gawk}/bin/awk '{print $2}' | ${pkgs.findutils}/bin/xargs ${pkgs.util-linux}/bin/kill -$SIGNAL

  '';



  anyPamMount = lib.any (lib.attrByPath [ "pamMount" ] false) (

  anyPamMount = lib.any (svc: svc.enable && svc.pamMount) (

    lib.attrValues config.security.pam.services

  );

in

nixos/modules/services/x11/display-managers/gdm.nix

+3 −3
Original line number Diff line number Diff line
@@ -9,7 +9,7 @@ let 


  cfg = config.services.xserver.displayManager;

  gdm = pkgs.gdm;

  pamCfg = config.security.pam.services;

  pamLogin = config.security.pam.services.login;

  settingsFormat = pkgs.formats.ini { };

  configFile = settingsFormat.generate "custom.conf" cfg.gdm.settings;
@@ -345,7 +345,7 @@ in 
      gdm-autologin.text = ''

        auth      requisite     pam_nologin.so

        auth      required      pam_succeed_if.so uid >= 1000 quiet

        ${lib.optionalString pamCfg.login.enableGnomeKeyring ''

        ${lib.optionalString (pamLogin.enable && pamLogin.enableGnomeKeyring) ''

          auth       [success=ok default=1]      ${gdm}/lib/security/pam_gdm.so

          auth       optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so

        ''}
@@ -369,7 +369,7 @@ in 
        auth       requisite                   pam_faillock.so      preauth

        auth       required                    ${pkgs.fprintd}/lib/security/pam_fprintd.so

        auth       required                    pam_env.so

        ${lib.optionalString pamCfg.login.enableGnomeKeyring ''

        ${lib.optionalString (pamLogin.enable && pamLogin.enableGnomeKeyring) ''

          auth       [success=ok default=1]      ${gdm}/lib/security/pam_gdm.so

          auth       optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so

        ''}