colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

common/polyunfill: simplify my config by using the new security.pam.package option

Browse Source
This commit is contained in:
Colin
2024-08-02 10:04:20 +00:00
parent 89d678c729
commit c490b6e6ad
1 changed files with 25 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
hosts/common/polyunfill.nix
View File

@@ -6,7 +6,6 @@ let
# nixpkgs' pam hardcodes unix_chkpwd path to the /run/wrappers one, # nixpkgs' pam hardcodes unix_chkpwd path to the /run/wrappers one,
# but i don't want the wrapper, so undo that. # but i don't want the wrapper, so undo that.
# ideally i would patch this via an overlay, but pam is in the bootstrap so that forces a full rebuild. # ideally i would patch this via an overlay, but pam is in the bootstrap so that forces a full rebuild.
# TODO: add a `package` option to the nixos' pam module and substitute it that way.
postPatch = (if upstream.postPatch != null then upstream.postPatch else "") + '' postPatch = (if upstream.postPatch != null then upstream.postPatch else "") + ''
substituteInPlace modules/pam_unix/Makefile.am --replace-fail \ substituteInPlace modules/pam_unix/Makefile.am --replace-fail \
"/run/wrappers/bin/unix_chkpwd" "$out/bin/unix_chkpwd" "/run/wrappers/bin/unix_chkpwd" "$out/bin/unix_chkpwd"
@@ -39,36 +38,29 @@ in
])); ]));
}; };
options.security.pam.services = lib.mkOption { options.security.pam.services = lib.mkOption {
apply = services: let apply = lib.filterAttrs (name: _: !(builtins.elem name [
filtered = lib.filterAttrs (name: _: !(builtins.elem name [ # from <repo:nixos/nixpkgs:nixos/modules/security/pam.nix>
# from <repo:nixos/nixpkgs:nixos/modules/security/pam.nix> "i3lock"
"i3lock" "i3lock-color"
"i3lock-color" "vlock"
"vlock" "xlock"
"xlock" "xscreensaver"
"xscreensaver" "runuser"
"runuser" "runuser-l"
"runuser-l" # from ??
# from ?? "chfn"
"chfn" "chpasswd"
"chpasswd" "chsh"
"chsh" "groupadd"
"groupadd" "groupdel"
"groupdel" "groupmems"
"groupmems" "groupmod"
"groupmod" "useradd"
"useradd" "userdel"
"userdel" "usermod"
"usermod" # from <repo:nixos/nixpkgs:nixos/modules/system/boot/systemd/user.nix>
# from <repo:nixos/nixpkgs:nixos/modules/system/boot/systemd/user.nix> "systemd-user" #< N.B.: this causes the `systemd --user` service manager to not be started!
"systemd-user" #< N.B.: this causes the `systemd --user` service manager to not be started! ]));
])) services;
in lib.mapAttrs (_serviceName: service: service // {
# replace references with the old pam_unix, which calls into /run/wrappers/bin/unix_chkpwd,
# with a pam_unix that calls into unix_chkpwd via the nix store.
# TODO: use `security.pam.package` instead once <https://github.com/NixOS/nixpkgs/pull/314791> lands.
text = lib.replaceStrings [" pam_unix.so" ] [ " ${suidlessPam}/lib/security/pam_unix.so" ] service.text;
}) filtered;
}; };
options.environment.systemPackages = lib.mkOption { options.environment.systemPackages = lib.mkOption {
@@ -225,5 +217,7 @@ in
# systemd.packages = [ pkgs.lvm2 ]; # systemd.packages = [ pkgs.lvm2 ];
# systemd.tmpfiles.packages = [ pkgs.lvm2.out ]; # systemd.tmpfiles.packages = [ pkgs.lvm2.out ];
# environment.systemPackages = [ pkgs.lvm2 ]; # environment.systemPackages = [ pkgs.lvm2 ];
security.pam.package = suidlessPam;
}; };
} }