svn path=/nixos/branches/modular-nixos/; revision=15766wip/yesman
parent
de7aae5d5e
commit
14f1c81822
@ -0,0 +1,57 @@ |
||||
# This module provides configuration for the PAM (Pluggable |
||||
# Authentication Modules) system. |
||||
|
||||
{config, pkgs, ...}: |
||||
|
||||
let |
||||
|
||||
# !!! ugh, these files shouldn't be created here. |
||||
pamConsoleHandlers = pkgs.writeText "console.handlers" '' |
||||
console consoledevs /dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9] |
||||
${pkgs.pam_console}/sbin/pam_console_apply lock logfail wait -t tty -s -c ${pamConsolePerms} |
||||
${pkgs.pam_console}/sbin/pam_console_apply unlock logfail wait -r -t tty -s -c ${pamConsolePerms} |
||||
''; |
||||
|
||||
pamConsolePerms = ./console.perms; |
||||
|
||||
generatePAMConfig = program: |
||||
let isLDAPEnabled = config.users.ldap.enable; in |
||||
{ source = pkgs.substituteAll { |
||||
src = ./pam.d + ("/" + program); |
||||
inherit (pkgs) pam_unix2 pam_console; |
||||
pam_ldap = |
||||
if isLDAPEnabled |
||||
then pkgs.pam_ldap |
||||
else "/no-such-path"; |
||||
inherit (pkgs.xorg) xauth; |
||||
inherit pamConsoleHandlers; |
||||
isLDAPEnabled = if isLDAPEnabled then "" else "#"; |
||||
syncSambaPasswords = if config.services.samba.syncPasswordsByPam |
||||
then "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass" |
||||
else "# change samba configuration options to make passwd sync the samba auth database as well here.."; |
||||
}; |
||||
target = "pam.d/" + program; |
||||
}; |
||||
|
||||
in |
||||
|
||||
{ |
||||
environment.etc = map generatePAMConfig |
||||
[ "login" |
||||
"su" |
||||
"other" |
||||
"passwd" |
||||
"shadow" |
||||
"sshd" |
||||
"lshd" |
||||
"useradd" |
||||
"chsh" |
||||
"xlock" |
||||
"samba" |
||||
"cups" |
||||
"ftp" |
||||
"ejabberd" |
||||
"common" |
||||
"common-console" # shared stuff for interactive local sessions |
||||
]; |
||||
} |
Loading…
Reference in new issue