+9

nixos/modules/config/users-groups.nix

reviewed

··· 108 108 description = "The user's home directory."; 109 109 }; 110 110 111 111 + cryptHomeLuks = mkOption { 112 112 + type = with types; nullOr str; 113 113 + default = null; 114 114 + description = '' 115 115 + Path to encrypted luks device that contains 116 116 + the user's home directory. 117 117 + ''; 118 118 + }; 119 119 + 111 120 shell = mkOption { 112 121 type = types.str; 113 122 default = "/run/current-system/sw/bin/nologin";

+1

nixos/modules/module-list.nix

reviewed

··· 84 84 ./security/grsecurity.nix 85 85 ./security/pam.nix 86 86 ./security/pam_usb.nix 87 87 + ./security/pam_mount.nix 87 88 ./security/polkit.nix 88 89 ./security/prey.nix 89 90 ./security/rngd.nix

+16 -2

nixos/modules/security/pam.nix

reviewed

··· 126 126 ''; 127 127 }; 128 128 129 129 + pamMount = mkOption { 130 130 + default = config.security.pam.mount.enable; 131 131 + type = types.bool; 132 132 + description = '' 133 133 + Enable PAM mount (pam_mount) system to mount fileystems on user login. 134 134 + ''; 135 135 + }; 136 136 + 129 137 allowNullPassword = mkOption { 130 138 default = false; 131 139 type = types.bool; ··· 224 232 ${optionalString cfg.usbAuth 225 233 "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"} 226 234 ${optionalString cfg.unixAuth 227 227 - "auth ${if config.security.pam.enableEcryptfs then "required" else "sufficient"} pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth"} 235 235 + "auth ${if (config.security.pam.enableEcryptfs || cfg.pamMount) then "required" else "sufficient"} pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth"} 236 236 + ${optionalString cfg.pamMount 237 237 + "auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} 228 238 ${optionalString config.security.pam.enableEcryptfs 229 239 "auth required ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} 230 240 ${optionalString cfg.otpwAuth ··· 238 248 auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass 239 249 auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass 240 250 ''} 241 241 - ${optionalString (! config.security.pam.enableEcryptfs) "auth required pam_deny.so"} 251 251 + ${optionalString (!(config.security.pam.enableEcryptfs || cfg.pamMount)) "auth required pam_deny.so"} 242 252 243 253 # Password management. 244 254 ${optionalString config.security.pam.enableEcryptfs 245 255 "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} 246 256 password requisite pam_unix.so nullok sha512 257 257 + ${optionalString cfg.pamMount 258 258 + "password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} 247 259 ${optionalString config.users.ldap.enable 248 260 "password sufficient ${pam_ldap}/lib/security/pam_ldap.so"} 249 261 ${optionalString config.krb5.enable ··· 280 292 "session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}"} 281 293 ${optionalString (cfg.showMotd && config.users.motd != null) 282 294 "session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"} 295 295 + ${optionalString cfg.pamMount 296 296 + "session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} 283 297 ''; 284 298 }; 285 299

+72

nixos/modules/security/pam_mount.nix

reviewed

··· 1 1 + { config, lib, pkgs, ... }: 2 2 + 3 3 + with lib; 4 4 + 5 5 + let 6 6 + cfg = config.security.pam.mount; 7 7 + 8 8 + anyPamMount = any (attrByPath ["pamMount"] false) (attrValues config.security.pam.services); 9 9 + in 10 10 + 11 11 + { 12 12 + options = { 13 13 + 14 14 + security.pam.mount = { 15 15 + enable = mkOption { 16 16 + type = types.bool; 17 17 + default = false; 18 18 + description = '' 19 19 + Enable PAM mount system to mount fileystems on user login. 20 20 + ''; 21 21 + }; 22 22 + 23 23 + extraVolumes = mkOption { 24 24 + type = types.listOf types.str; 25 25 + default = []; 26 26 + description = '' 27 27 + List of volume definitions for pam_mount. 28 28 + For more information, visit <link 29 29 + xlink:href="http://pam-mount.sourceforge.net/pam_mount.conf.5.html" />. 30 30 + ''; 31 31 + }; 32 32 + }; 33 33 + 34 34 + }; 35 35 + 36 36 + config = mkIf (cfg.enable || anyPamMount) { 37 37 + 38 38 + environment.systemPackages = [ pkgs.pam_mount ]; 39 39 + environment.etc = [{ 40 40 + target = "security/pam_mount.conf.xml"; 41 41 + source = 42 42 + let 43 43 + extraUserVolumes = filterAttrs (n: u: u.cryptHomeLuks != null) config.users.extraUsers; 44 44 + userVolumeEntry = user: "<volume user=\"${user.name}\" path=\"${user.cryptHomeLuks}\" mountpoint=\"${user.home}\" />\n"; 45 45 + in 46 46 + pkgs.writeText "pam_mount.conf.xml" '' 47 47 + <?xml version="1.0" encoding="utf-8" ?> 48 48 + <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> 49 49 + <!-- auto generated from Nixos: modules/config/users-groups.nix --> 50 50 + <pam_mount> 51 51 + <debug enable="0" /> 52 52 + 53 53 + ${concatStrings (map userVolumeEntry (attrValues extraUserVolumes))} 54 54 + ${concatStringsSep "\n" cfg.extraVolumes} 55 55 + 56 56 + <!-- if activated, requires ofl from hxtools to be present --> 57 57 + <logout wait="0" hup="no" term="no" kill="no" /> 58 58 + <!-- set PATH variable for pam_mount module --> 59 59 + <path>${pkgs.utillinux}/bin</path> 60 60 + <!-- create mount point if not present --> 61 61 + <mkmountpoint enable="1" remove="true" /> 62 62 + 63 63 + <!-- specify the binaries to be called --> 64 64 + <cryptmount>${pkgs.pam_mount}/bin/mount.crypt %(VOLUME) %(MNTPT)</cryptmount> 65 65 + <cryptumount>${pkgs.pam_mount}/bin/umount.crypt %(MNTPT)</cryptumount> 66 66 + <pmvarrun>${pkgs.pam_mount}/bin/pmvarrun -u %(USER) -o %(OPERATION)</pmvarrun> 67 67 + </pam_mount> 68 68 + ''; 69 69 + }]; 70 70 + 71 71 + }; 72 72 + }