From 2ef165538a64cdbf0b4e8d549bb519a754e8243a Mon Sep 17 00:00:00 2001 From: Ryan Hendrickson Date: Tue, 15 Apr 2025 23:19:42 -0400 Subject: [PATCH] nixos/pam: conditional enabling of services --- .../manual/release-notes/rl-2505.section.md | 2 ++ nixos/modules/security/pam.nix | 23 ++++++++++++------- nixos/modules/security/pam_mount.nix | 2 +- .../services/x11/display-managers/gdm.nix | 6 ++--- 4 files changed, 21 insertions(+), 12 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md index 3978772d32d8..c461b0c1561f 100644 --- a/nixos/doc/manual/release-notes/rl-2505.section.md +++ b/nixos/doc/manual/release-notes/rl-2505.section.md @@ -441,6 +441,8 @@ - Overriding Wayland compositor is possible using `waylandSessionCompositor` option, but you might need to take care [`xfce4-session`](https://gitlab.xfce.org/xfce/xfce4-session/-/merge_requests/49), [`dbus-update-activation-environment`](https://github.com/labwc/labwc/blob/eaf11face68ee1f1bcc7ce1498304ca8c108c8ba/src/config/session.c#L234) and [`systemctl --user import-environment`](https://github.com/labwc/labwc/blob/eaf11face68ee1f1bcc7ce1498304ca8c108c8ba/src/config/session.c#L239) on startup. - For new Xfce installations, default panel layout has [changed](https://gitlab.xfce.org/xfce/xfce4-panel/-/merge_requests/158/diffs) to not include external panel plugins by default. You can still add them yourself using the "Panel Preferences" dialog. +- PAM services for `i3lock`/`i3lock-color`, `vlock`, `xlock`, and `xscreensaver` now default to disabled unless other corresponding NixOS options are set (`programs.i3lock.enable`, `console.enable`, `services.xserver.enable`, and `services.xscreensaver.enable`, respectively). If for some reason you want one of them back without setting the corresponding option, set, e.g., `security.pam.services.xlock.enable = true`. + - [`system.stateVersion`](#opt-system.stateVersion) is now validated and must be in the `"YY.MM"` format, ideally corresponding to a prior NixOS release. - `services.mysql` now supports easy cluster setup via [`services.mysql.galeraCluster`](#opt-services.mysql.galeraCluster.enable) option. diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index de74e5cda3c5..ad4e32e82561 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -145,6 +145,11 @@ let description = "Name of the PAM service."; }; + enable = lib.mkEnableOption "this PAM service" // { + default = true; + example = false; + }; + rules = lib.mkOption { # This option is experimental and subject to breaking changes without notice. visible = false; @@ -1566,6 +1571,8 @@ let Defaults env_keep+=SSH_AUTH_SOCK ''; + enabledServices = lib.filterAttrs (name: svc: svc.enable) config.security.pam.services; + in { @@ -2282,7 +2289,7 @@ in }; }; - environment.etc = lib.mapAttrs' makePAMService config.security.pam.services; + environment.etc = lib.mapAttrs' makePAMService enabledServices; security.pam.services = { @@ -2298,11 +2305,11 @@ in ''; # Most of these should be moved to specific modules. - i3lock = { }; - i3lock-color = { }; - vlock = { }; - xlock = { }; - xscreensaver = { }; + i3lock.enable = lib.mkDefault config.programs.i3lock.enable; + i3lock-color.enable = lib.mkDefault config.programs.i3lock.enable; + vlock.enable = lib.mkDefault config.console.enable; + xlock.enable = lib.mkDefault config.services.xserver.enable; + xscreensaver.enable = lib.mkDefault config.services.xscreensaver.enable; runuser = { rootOK = true; @@ -2327,11 +2334,11 @@ in security.apparmor.includes."abstractions/pam" = lib.concatMapStrings (name: "r ${config.environment.etc."pam.d/${name}".source},\n") ( - lib.attrNames config.security.pam.services + lib.attrNames enabledServices ) + ( with lib; - pipe config.security.pam.services [ + pipe enabledServices [ lib.attrValues (catAttrs "rules") (lib.concatMap lib.attrValues) diff --git a/nixos/modules/security/pam_mount.nix b/nixos/modules/security/pam_mount.nix index d47f2ec05521..fbc5fe1ed2b3 100644 --- a/nixos/modules/security/pam_mount.nix +++ b/nixos/modules/security/pam_mount.nix @@ -15,7 +15,7 @@ let ${pkgs.lsof}/bin/lsof | ${pkgs.gnugrep}/bin/grep $MNTPT | ${pkgs.gawk}/bin/awk '{print $2}' | ${pkgs.findutils}/bin/xargs ${pkgs.util-linux}/bin/kill -$SIGNAL ''; - anyPamMount = lib.any (lib.attrByPath [ "pamMount" ] false) ( + anyPamMount = lib.any (svc: svc.enable && svc.pamMount) ( lib.attrValues config.security.pam.services ); in diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index d5bad47e52a4..3ee04d328c87 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -9,7 +9,7 @@ let cfg = config.services.xserver.displayManager; gdm = pkgs.gdm; - pamCfg = config.security.pam.services; + pamLogin = config.security.pam.services.login; settingsFormat = pkgs.formats.ini { }; configFile = settingsFormat.generate "custom.conf" cfg.gdm.settings; @@ -345,7 +345,7 @@ in gdm-autologin.text = '' auth requisite pam_nologin.so auth required pam_succeed_if.so uid >= 1000 quiet - ${lib.optionalString pamCfg.login.enableGnomeKeyring '' + ${lib.optionalString (pamLogin.enable && pamLogin.enableGnomeKeyring) '' auth [success=ok default=1] ${gdm}/lib/security/pam_gdm.so auth optional ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so ''} @@ -369,7 +369,7 @@ in auth requisite pam_faillock.so preauth auth required ${pkgs.fprintd}/lib/security/pam_fprintd.so auth required pam_env.so - ${lib.optionalString pamCfg.login.enableGnomeKeyring '' + ${lib.optionalString (pamLogin.enable && pamLogin.enableGnomeKeyring) '' auth [success=ok default=1] ${gdm}/lib/security/pam_gdm.so auth optional ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so ''}