Add option ‘users.motd’ for setting a message of the day shown on login

Note that this uses pam_motd.
2012-10-23 09:10:48 -04:00 · 2012-10-23 09:10:48 -04:00 · 224c825a36
commit 224c825a36
parent c980faebe2
3 changed files with 20 additions and 3 deletions
--- a/modules/programs/shadow.nix
+++ b/modules/programs/shadow.nix
@ -1,6 +1,6 @@
 # Configuration for the pwdutils suite of tools: passwd, useradd, etc.

-{config, pkgs, ...}:
+{ config, pkgs, ... }:

 let

@ -27,6 +27,7 @@ let
      # Uncomment this to allow non-root users to change their account
      #information.  This should be made configurable.
      #CHFN_RESTRICT frwh
+
    '';

 in
@ -90,7 +91,7 @@ in
        { name = "groupmod"; rootOK = true; }
        { name = "groupmems"; rootOK = true; }
        { name = "groupdel"; rootOK = true; }
-        { name = "login"; startSession = true; allowNullPassword = true; }
+        { name = "login"; startSession = true; allowNullPassword = true; showMotd = true; }
      ];

    security.setuidPrograms = [ "passwd" "chfn" "su" "newgrp" ];
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@ -29,6 +29,8 @@ let
                 concatStringsSep " " [ domain type item value ])
                limits));

+  motd = pkgs.writeText "motd" config.users.motd;
+
  makePAMService =
    { name
    , # If set, root doesn't need to authenticate (e.g. for the "chsh"
@ -58,6 +60,8 @@ let
      allowNullPassword ? false
    , # The limits, as per limits.conf(5).
      limits ? config.security.pam.loginLimits
+    , # Whether to show the message of the day.
+      showMotd ? false
    }:

    { source = pkgs.writeText "${name}.pam"
@ -110,6 +114,8 @@ let
              "session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
          ${optionalString (limits != [])
              "session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf limits}"}
+          ${optionalString (showMotd && config.users.motd != null)
+              "session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"}
        '';
      target = "pam.d/${name}";
    };
@ -201,6 +207,13 @@ in
        '';
    };

+    users.motd = mkOption {
+      default = null;
+      example = "Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3178.";
+      type = types.nullOr types.string;
+      description = "Message of the day shown to users when they log in.";
+    };
+
  };


--- a/modules/services/networking/ssh/sshd.nix
+++ b/modules/services/networking/ssh/sshd.nix
@ -358,7 +358,7 @@ in

    networking.firewall.allowedTCPPorts = cfg.ports;

-    security.pam.services = optional cfg.usePAM { name = "sshd"; startSession = true; };
+    security.pam.services = optional cfg.usePAM { name = "sshd"; startSession = true; showMotd = true; };

    services.openssh.extraConfig =
      ''
@ -390,10 +390,13 @@ in
        GatewayPorts ${cfg.gatewayPorts}
        PasswordAuthentication ${if cfg.passwordAuthentication then "yes" else "no"}
        ChallengeResponseAuthentication ${if cfg.challengeResponseAuthentication then "yes" else "no"}
+
+        PrintMotd no # handled by pam_motd
      '';

    assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;
                    message = "cannot enable X11 forwarding without setting xauth location";}];
+
  };

 }