nixos/pam: add option failDelay

Co-authored-by: Bobby Rong <rjl931189261@126.com>
2022-11-07 19:16:35 +08:00 · 2022-11-07 19:16:35 +08:00 · ab0ae8f5e1
commit ab0ae8f5e1
parent 1c64f29ee9
1 changed files with 22 additions and 0 deletions
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -383,6 +383,24 @@ let
        '';
      };

+      failDelay = {
+        enable = mkOption {
+          type = types.bool;
+          default = false;
+          description = lib.mdDoc ''
+            If enabled, this will replace the `FAIL_DELAY` setting from `login.defs`.
+            Change the delay on failure per-application.
+            '';
+        };
+
+        delay = mkOption {
+          default = 3000000;
+          type = types.int;
+          example = 1000000;
+          description = lib.mdDoc "The delay time (in microseconds) on failure.";
+        };
+      };
+
      gnupg = {
        enable = mkOption {
          type = types.bool;
@ -513,6 +531,7 @@ let
              || cfg.enableGnomeKeyring
              || cfg.googleAuthenticator.enable
              || cfg.gnupg.enable
+              || cfg.failDelay.enable
              || cfg.duoSecurity.enable))
            (
              ''
@ -533,6 +552,9 @@ let
              optionalString cfg.gnupg.enable ''
                auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.storeOnly " store-only"}
              '' +
+              optionalString cfg.failDelay.enable ''
+                auth optional ${pkgs.pam}/lib/security/pam_faildelay.so delay=${toString cfg.failDelay.delay}
+              '' +
              optionalString cfg.googleAuthenticator.enable ''
                auth required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so no_increment_hotp
              '' +