|
|
|
@ -65,42 +65,40 @@ in |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
config = { |
|
|
|
|
|
|
|
|
|
system.build.pamEnvironment = |
|
|
|
|
let |
|
|
|
|
suffixedVariables = |
|
|
|
|
flip mapAttrs cfg.profileRelativeSessionVariables (envVar: suffixes: |
|
|
|
|
flip concatMap cfg.profiles (profile: |
|
|
|
|
map (suffix: "${profile}${suffix}") suffixes |
|
|
|
|
) |
|
|
|
|
); |
|
|
|
|
|
|
|
|
|
# We're trying to use the same syntax for PAM variables and env variables. |
|
|
|
|
# That means we need to map the env variables that people might use to their |
|
|
|
|
# equivalent PAM variable. |
|
|
|
|
replaceEnvVars = replaceStrings ["$HOME" "$USER"] ["@{HOME}" "@{PAM_USER}"]; |
|
|
|
|
|
|
|
|
|
pamVariable = n: v: |
|
|
|
|
''${n} DEFAULT="${concatStringsSep ":" (map replaceEnvVars (toList v))}"''; |
|
|
|
|
|
|
|
|
|
pamVariables = |
|
|
|
|
concatStringsSep "\n" |
|
|
|
|
(mapAttrsToList pamVariable |
|
|
|
|
(zipAttrsWith (n: concatLists) |
|
|
|
|
[ |
|
|
|
|
# Make sure security wrappers are prioritized without polluting |
|
|
|
|
# shell environments with an extra entry. Sessions which depend on |
|
|
|
|
# pam for its environment will otherwise have eg. broken sudo. In |
|
|
|
|
# particular Gnome Shell sometimes fails to source a proper |
|
|
|
|
# environment from a shell. |
|
|
|
|
{ PATH = [ config.security.wrapperDir ]; } |
|
|
|
|
|
|
|
|
|
(mapAttrs (n: toList) cfg.sessionVariables) |
|
|
|
|
suffixedVariables |
|
|
|
|
])); |
|
|
|
|
in |
|
|
|
|
pkgs.writeText "pam-environment" "${pamVariables}\n"; |
|
|
|
|
|
|
|
|
|
environment.etc."pam/environment".text = let |
|
|
|
|
suffixedVariables = |
|
|
|
|
flip mapAttrs cfg.profileRelativeSessionVariables (envVar: suffixes: |
|
|
|
|
flip concatMap cfg.profiles (profile: |
|
|
|
|
map (suffix: "${profile}${suffix}") suffixes |
|
|
|
|
) |
|
|
|
|
); |
|
|
|
|
|
|
|
|
|
# We're trying to use the same syntax for PAM variables and env variables. |
|
|
|
|
# That means we need to map the env variables that people might use to their |
|
|
|
|
# equivalent PAM variable. |
|
|
|
|
replaceEnvVars = replaceStrings ["$HOME" "$USER"] ["@{HOME}" "@{PAM_USER}"]; |
|
|
|
|
|
|
|
|
|
pamVariable = n: v: |
|
|
|
|
''${n} DEFAULT="${concatStringsSep ":" (map replaceEnvVars (toList v))}"''; |
|
|
|
|
|
|
|
|
|
pamVariables = |
|
|
|
|
concatStringsSep "\n" |
|
|
|
|
(mapAttrsToList pamVariable |
|
|
|
|
(zipAttrsWith (n: concatLists) |
|
|
|
|
[ |
|
|
|
|
# Make sure security wrappers are prioritized without polluting |
|
|
|
|
# shell environments with an extra entry. Sessions which depend on |
|
|
|
|
# pam for its environment will otherwise have eg. broken sudo. In |
|
|
|
|
# particular Gnome Shell sometimes fails to source a proper |
|
|
|
|
# environment from a shell. |
|
|
|
|
{ PATH = [ config.security.wrapperDir ]; } |
|
|
|
|
|
|
|
|
|
(mapAttrs (n: toList) cfg.sessionVariables) |
|
|
|
|
suffixedVariables |
|
|
|
|
])); |
|
|
|
|
in '' |
|
|
|
|
${pamVariables} |
|
|
|
|
''; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
} |
|
|
|
|