* Move PAM configuration to modules/security/pam.nix.

svn path=/nixos/branches/modular-nixos/; revision=15766

etc/default.nix

@@ -37,59 +37,6 @@ in
 let
   optional = pkgs.lib.optional;
 
-
-  # !!! ugh, these files shouldn't be created here.
-  pamConsoleHandlers = pkgs.writeText "console.handlers" ''
-    console consoledevs /dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
-    ${pkgs.pam_console}/sbin/pam_console_apply lock logfail wait -t tty -s -c ${pamConsolePerms}
-    ${pkgs.pam_console}/sbin/pam_console_apply unlock logfail wait -r -t tty -s -c ${pamConsolePerms}
-  '';
-
-  pamConsolePerms = ./security/console.perms;
-
-  configFiles = 
-
-  # A bunch of PAM configuration files for various programs.
-  (map
-    (program:
-      let isLDAPEnabled = config.users.ldap.enable; in
-      { source = pkgs.substituteAll {
-          src = ./pam.d + ("/" + program);
-          inherit (pkgs) pam_unix2 pam_console;
-          pam_ldap =
-            if isLDAPEnabled
-            then pkgs.pam_ldap
-            else "/no-such-path";
-          inherit (pkgs.xorg) xauth;
-          inherit pamConsoleHandlers;
-          isLDAPEnabled = if isLDAPEnabled then "" else "#";
-          syncSambaPasswords = if config.services.samba.syncPasswordsByPam
-            then "password   optional     ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"
-            else "# change samba configuration options to make passwd sync the samba auth database as well here..";
-        };
-        target = "pam.d/" + program;
-      }
-    )
-    [
-      "login"
-      "su"
-      "other"
-      "passwd"
-      "shadow"
-      "sshd"
-      "lshd"
-      "useradd"
-      "chsh"
-      "xlock"
-      "samba"
-      "cups"
-      "ftp"
-      "ejabberd"
-      "common"
-      "common-console" # shared stuff for interactive local sessions
-    ]
-  );
-
 in
 
 let
@@ -109,7 +56,7 @@ let
 
   makeEtc = import ../helpers/make-etc.nix {
     inherit (pkgs) stdenv;
-    configFiles = configFiles ++ config.environment.etc;
+    configFiles = config.environment.etc;
   };
 in
 

modules/module-list.nix

@@ -13,6 +13,7 @@
   ./programs/pwdutils/pwdutils.nix
   ./programs/ssh.nix
   ./programs/ssmtp.nix
+  ./security/pam.nix
   ./security/setuid-wrappers.nix
   ./security/sudo.nix
   ./services/audio/alsa.nix

modules/security/pam.nix

@@ -0,0 +1,57 @@
+# This module provides configuration for the PAM (Pluggable
+# Authentication Modules) system.
+
+{config, pkgs, ...}:
+
+let
+
+  # !!! ugh, these files shouldn't be created here.
+  pamConsoleHandlers = pkgs.writeText "console.handlers" ''
+    console consoledevs /dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
+    ${pkgs.pam_console}/sbin/pam_console_apply lock logfail wait -t tty -s -c ${pamConsolePerms}
+    ${pkgs.pam_console}/sbin/pam_console_apply unlock logfail wait -r -t tty -s -c ${pamConsolePerms}
+  '';
+
+  pamConsolePerms = ./console.perms;
+
+  generatePAMConfig = program:
+    let isLDAPEnabled = config.users.ldap.enable; in
+    { source = pkgs.substituteAll {
+        src = ./pam.d + ("/" + program);
+        inherit (pkgs) pam_unix2 pam_console;
+        pam_ldap =
+          if isLDAPEnabled
+          then pkgs.pam_ldap
+          else "/no-such-path";
+        inherit (pkgs.xorg) xauth;
+        inherit pamConsoleHandlers;
+        isLDAPEnabled = if isLDAPEnabled then "" else "#";
+        syncSambaPasswords = if config.services.samba.syncPasswordsByPam
+          then "password   optional     ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"
+          else "# change samba configuration options to make passwd sync the samba auth database as well here..";
+      };
+      target = "pam.d/" + program;
+    };
+
+in
+
+{
+  environment.etc =  map generatePAMConfig 
+    [ "login"
+      "su"
+      "other"
+      "passwd"
+      "shadow"
+      "sshd"
+      "lshd"
+      "useradd"
+      "chsh"
+      "xlock"
+      "samba"
+      "cups"
+      "ftp"
+      "ejabberd"
+      "common"
+      "common-console" # shared stuff for interactive local sessions
+    ];
+}