pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #186628 from ocfox/pam_faildelay

nixos/pam: add option failDelay

authored by

Bobby Rong and committed by
GitHub 03e68946 590a40e1

+22
unified split
+22
nixos/modules/security/pam.nix
··· 392 ''; 393 }; 394 395 gnupg = { 396 enable = mkOption { 397 type = types.bool; ··· 531 || cfg.enableGnomeKeyring 532 || cfg.googleAuthenticator.enable 533 || cfg.gnupg.enable 534 || cfg.duoSecurity.enable)) 535 ( 536 '' ··· 550 '' + 551 optionalString cfg.gnupg.enable '' 552 auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.storeOnly " store-only"} 553 '' + 554 optionalString cfg.googleAuthenticator.enable '' 555 auth required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so no_increment_hotp
··· 392 ''; 393 }; 394 395 + failDelay = { 396 + enable = mkOption { 397 + type = types.bool; 398 + default = false; 399 + description = lib.mdDoc '' 400 + If enabled, this will replace the `FAIL_DELAY` setting from `login.defs`. 401 + Change the delay on failure per-application. 402 + ''; 403 + }; 404 + 405 + delay = mkOption { 406 + default = 3000000; 407 + type = types.int; 408 + example = 1000000; 409 + description = lib.mdDoc "The delay time (in microseconds) on failure."; 410 + }; 411 + }; 412 + 413 gnupg = { 414 enable = mkOption { 415 type = types.bool; ··· 549 || cfg.enableGnomeKeyring 550 || cfg.googleAuthenticator.enable 551 || cfg.gnupg.enable 552 + || cfg.failDelay.enable 553 || cfg.duoSecurity.enable)) 554 ( 555 '' ··· 569 '' + 570 optionalString cfg.gnupg.enable '' 571 auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.storeOnly " store-only"} 572 + '' + 573 + optionalString cfg.failDelay.enable '' 574 + auth optional ${pkgs.pam}/lib/security/pam_faildelay.so delay=${toString cfg.failDelay.delay} 575 '' + 576 optionalString cfg.googleAuthenticator.enable '' 577 auth required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so no_increment_hotp