tjh.dev
nixos/duosec: replace activationScript
Replace with a separate systemd service.
+12
-3
nixos/modules/security/duosec.nix
+12
-3
nixos/modules/security/duosec.nix
···
193
source = "${pkgs.duo-unix.out}/bin/login_duo";
194
};
195
196
-
system.activationScripts = {
197
-
login_duo = mkIf cfg.ssh.enable ''
198
if test -f "${cfg.secretKeyFile}"; then
199
mkdir -m 0755 -p /etc/duo
200
···
209
mv -fT "$conf" /etc/duo/login_duo.conf
210
fi
211
'';
212
-
pam_duo = mkIf cfg.pam.enable ''
213
if test -f "${cfg.secretKeyFile}"; then
214
mkdir -m 0755 -p /etc/duo
215
···
193
source = "${pkgs.duo-unix.out}/bin/login_duo";
194
};
195
196
+
systemd.services.login-duo = lib.mkIf cfg.ssh.enable {
197
+
wantedBy = [ "sysinit.target" ];
198
+
before = [ "sysinit.target" ];
199
+
unitConfig.DefaultDependencies = false;
200
+
script = ''
201
if test -f "${cfg.secretKeyFile}"; then
202
mkdir -m 0755 -p /etc/duo
203
···
212
mv -fT "$conf" /etc/duo/login_duo.conf
213
fi
214
'';
215
+
};
216
+
217
+
systemd.services.pam-duo = lib.mkIf cfg.ssh.enable {
218
+
wantedBy = [ "sysinit.target" ];
219
+
before = [ "sysinit.target" ];
220
+
unitConfig.DefaultDependencies = false;
221
+
script = ''
222
if test -f "${cfg.secretKeyFile}"; then
223
mkdir -m 0755 -p /etc/duo
224