summary refs log tree commit diff
diff options
context:
space:
mode:
authorJörg Thalheim <joerg@thalheim.io>2021-07-28 06:28:25 +0200
committerJörg Thalheim <joerg@thalheim.io>2021-08-20 23:43:30 +0200
commit1645acf1d3e9fc2f9a673e3caca9d5e66ca03827 (patch)
tree241f12ddc53a29a5e100b6e091e269c51b0b7eae
parent3dcb36f234d7191381992995e9960fd55a5d5832 (diff)
downloadnixpkgs-1645acf1d3e9fc2f9a673e3caca9d5e66ca03827.tar
nixpkgs-1645acf1d3e9fc2f9a673e3caca9d5e66ca03827.tar.gz
nixpkgs-1645acf1d3e9fc2f9a673e3caca9d5e66ca03827.tar.bz2
nixpkgs-1645acf1d3e9fc2f9a673e3caca9d5e66ca03827.tar.lz
nixpkgs-1645acf1d3e9fc2f9a673e3caca9d5e66ca03827.tar.xz
nixpkgs-1645acf1d3e9fc2f9a673e3caca9d5e66ca03827.tar.zst
nixpkgs-1645acf1d3e9fc2f9a673e3caca9d5e66ca03827.zip
nixos: reduce pam files rebuilds on updates
Before whenever environment variables changed, pam files had to be
rebuild.

This is expensive since each file needs its own sandbox set up.
Diffstat
-rw-r--r--nixos/modules/config/system-environment.nix70
-rw-r--r--nixos/modules/security/pam.nix2
-rw-r--r--nixos/modules/services/wayland/cage.nix2
-rw-r--r--nixos/modules/services/x11/display-managers/gdm.nix2
-rw-r--r--nixos/modules/services/x11/display-managers/lightdm.nix2
-rw-r--r--nixos/modules/services/x11/display-managers/sddm.nix2
6 files changed, 39 insertions, 41 deletions
diff --git a/nixos/modules/config/system-environment.nix b/nixos/modules/config/system-environment.nix
index 4888740ba3d..d2a66b8d932 100644
--- a/nixos/modules/config/system-environment.nix
+++ b/nixos/modules/config/system-environment.nix
@@ -65,42 +65,40 @@ in
   };
 
   config = {
-
-    system.build.pamEnvironment =
-      let
-        suffixedVariables =
-          flip mapAttrs cfg.profileRelativeSessionVariables (envVar: suffixes:
-            flip concatMap cfg.profiles (profile:
-              map (suffix: "${profile}${suffix}") suffixes
-            )
-          );
-
-        # We're trying to use the same syntax for PAM variables and env variables.
-        # That means we need to map the env variables that people might use to their
-        # equivalent PAM variable.
-        replaceEnvVars = replaceStrings ["$HOME" "$USER"] ["@{HOME}" "@{PAM_USER}"];
-
-        pamVariable = n: v:
-          ''${n}   DEFAULT="${concatStringsSep ":" (map replaceEnvVars (toList v))}"'';
-
-        pamVariables =
-          concatStringsSep "\n"
-          (mapAttrsToList pamVariable
-          (zipAttrsWith (n: concatLists)
-            [
-              # Make sure security wrappers are prioritized without polluting
-              # shell environments with an extra entry. Sessions which depend on
-              # pam for its environment will otherwise have eg. broken sudo. In
-              # particular Gnome Shell sometimes fails to source a proper
-              # environment from a shell.
-              { PATH = [ config.security.wrapperDir ]; }
-
-              (mapAttrs (n: toList) cfg.sessionVariables)
-              suffixedVariables
-            ]));
-      in
-        pkgs.writeText "pam-environment" "${pamVariables}\n";
-
+    environment.etc."pam/environment".text = let
+      suffixedVariables =
+        flip mapAttrs cfg.profileRelativeSessionVariables (envVar: suffixes:
+          flip concatMap cfg.profiles (profile:
+            map (suffix: "${profile}${suffix}") suffixes
+          )
+        );
+
+      # We're trying to use the same syntax for PAM variables and env variables.
+      # That means we need to map the env variables that people might use to their
+      # equivalent PAM variable.
+      replaceEnvVars = replaceStrings ["$HOME" "$USER"] ["@{HOME}" "@{PAM_USER}"];
+
+      pamVariable = n: v:
+        ''${n}   DEFAULT="${concatStringsSep ":" (map replaceEnvVars (toList v))}"'';
+
+      pamVariables =
+        concatStringsSep "\n"
+        (mapAttrsToList pamVariable
+        (zipAttrsWith (n: concatLists)
+          [
+            # Make sure security wrappers are prioritized without polluting
+            # shell environments with an extra entry. Sessions which depend on
+            # pam for its environment will otherwise have eg. broken sudo. In
+            # particular Gnome Shell sometimes fails to source a proper
+            # environment from a shell.
+            { PATH = [ config.security.wrapperDir ]; }
+
+            (mapAttrs (n: toList) cfg.sessionVariables)
+            suffixedVariables
+          ]));
+    in ''
+      ${pamVariables}
+    '';
   };
 
 }
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index 9a6c7d17825..ca402e70926 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -475,7 +475,7 @@ let
 
           # Session management.
           ${optionalString cfg.setEnvironment ''
-            session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0
+            session required pam_env.so conffile=/etc/pam/environment readenv=0
           ''}
           session required pam_unix.so
           ${optionalString cfg.setLoginUid
diff --git a/nixos/modules/services/wayland/cage.nix b/nixos/modules/services/wayland/cage.nix
index 2e71abb69fc..bd97a674eb8 100644
--- a/nixos/modules/services/wayland/cage.nix
+++ b/nixos/modules/services/wayland/cage.nix
@@ -82,7 +82,7 @@ in {
       auth    required pam_unix.so nullok
       account required pam_unix.so
       session required pam_unix.so
-      session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0
+      session required pam_env.so conffile=/etc/pam/environment readenv=0
       session required ${pkgs.systemd}/lib/security/pam_systemd.so
     '';
 
diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix
index ef9ec438cc1..7d5edc22257 100644
--- a/nixos/modules/services/x11/display-managers/gdm.nix
+++ b/nixos/modules/services/x11/display-managers/gdm.nix
@@ -309,7 +309,7 @@ in
         password required       pam_deny.so
 
         session  required       pam_succeed_if.so audit quiet_success user = gdm
-        session  required       pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0
+        session  required       pam_env.so conffile=/etc/pam/environment readenv=0
         session  optional       ${pkgs.systemd}/lib/security/pam_systemd.so
         session  optional       pam_keyinit.so force revoke
         session  optional       pam_permit.so
diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix
index 945222296fa..41c1b635f5d 100644
--- a/nixos/modules/services/x11/display-managers/lightdm.nix
+++ b/nixos/modules/services/x11/display-managers/lightdm.nix
@@ -284,7 +284,7 @@ in
         password required       pam_deny.so
 
         session  required       pam_succeed_if.so audit quiet_success user = lightdm
-        session  required       pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0
+        session  required       pam_env.so conffile=/etc/pam/environment readenv=0
         session  optional       ${pkgs.systemd}/lib/security/pam_systemd.so
         session  optional       pam_keyinit.so force revoke
         session  optional       pam_permit.so
diff --git a/nixos/modules/services/x11/display-managers/sddm.nix b/nixos/modules/services/x11/display-managers/sddm.nix
index 116994db1c1..d79b3cda2fc 100644
--- a/nixos/modules/services/x11/display-managers/sddm.nix
+++ b/nixos/modules/services/x11/display-managers/sddm.nix
@@ -229,7 +229,7 @@ in
         password required       pam_deny.so
 
         session  required       pam_succeed_if.so audit quiet_success user = sddm
-        session  required       pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0
+        session  required       pam_env.so conffile=/etc/pam/environment readenv=0
         session  optional       ${pkgs.systemd}/lib/security/pam_systemd.so
         session  optional       pam_keyinit.so force revoke
         session  optional       pam_permit.so
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-30 07:25:15 +0000