pyrox.dev
lol
nixos/ecryptfs: init
Currently, ecryptfs support is coupled to `security.pam.enableEcryptfs`, but one
might want to use ecryptfs without enabling the PAM functionality. This commit
splits it out into a `boot.supportedFilesystems` switch.
+1
nixos/modules/module-list.nix
+1
nixos/modules/module-list.nix
+4
-6
nixos/modules/security/pam.nix
+4
-6
nixos/modules/security/pam.nix
···
486
486
++ optionals config.krb5.enable [pam_krb5 pam_ccreds]
487
487
++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]
488
488
++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ]
489
-
++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]
490
-
++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];
489
+
++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ];
490
+
491
+
boot.supportedFilesystems = optionals config.security.pam.enableEcryptfs [ "ecryptfs" ];
491
492
492
493
security.wrappers = {
493
494
unix_chkpwd = {
···
495
496
owner = "root";
496
497
setuid = true;
497
498
};
498
-
} // (if config.security.pam.enableEcryptfs then {
499
-
"mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
500
-
"umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
501
-
} else {});
499
+
};
502
500
503
501
environment.etc =
504
502
mapAttrsToList (n: v: makePAMService v) config.security.pam.services;
+14
nixos/modules/tasks/filesystems/ecryptfs.nix
+14
nixos/modules/tasks/filesystems/ecryptfs.nix
···
1
+
{ config, lib, pkgs, ... }:
2
+
# TODO: make ecryptfs work in initramfs?
3
+
4
+
with lib;
5
+
6
+
{
7
+
config = mkIf (any (fs: fs == "ecryptfs") config.boot.supportedFilesystems) {
8
+
system.fsPackages = [ pkgs.ecryptfs ];
9
+
security.wrappers = {
10
+
"mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
11
+
"umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
12
+
};
13
+
};
14
+
}