diff options
| author | Nick Hu <me@nickhu.co.uk> | 2020-09-11 01:13:53 +0100 |
|---|---|---|
| committer | Nick Hu <me@nickhu.co.uk> | 2020-10-12 13:29:40 +0100 |
| commit | 948e05bb281cf3ec3b75944f9afd3162187f1d4e (patch) | |
| tree | a422023432e4819c932737fd125784a1be92d5e7 /nixos/modules/security/pam.nix | |
| parent | e61c9d185d3e56e45a78cd7dd81385c38028a209 (diff) | |
| download | nixpkgs-948e05bb281cf3ec3b75944f9afd3162187f1d4e.tar nixpkgs-948e05bb281cf3ec3b75944f9afd3162187f1d4e.tar.gz nixpkgs-948e05bb281cf3ec3b75944f9afd3162187f1d4e.tar.bz2 nixpkgs-948e05bb281cf3ec3b75944f9afd3162187f1d4e.tar.lz nixpkgs-948e05bb281cf3ec3b75944f9afd3162187f1d4e.tar.xz nixpkgs-948e05bb281cf3ec3b75944f9afd3162187f1d4e.tar.zst nixpkgs-948e05bb281cf3ec3b75944f9afd3162187f1d4e.zip | |
pam: add support for pam_gnupg
Diffstat (limited to 'nixos/modules/security/pam.nix')
| -rw-r--r-- | nixos/modules/security/pam.nix | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index a20d0a243a8..a517f9e51ce 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -318,6 +318,42 @@ let ''; }; + gnupg = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + If enabled, pam_gnupg will attempt to automatically unlock the + user's GPG keys with the login password via + <command>gpg-agent</command>. The keygrips of all keys to be + unlocked should be written to <filename>~/.pam-gnupg</filename>, + and can be queried with <command>gpg -K --with-keygrip</command>. + Presetting passphrases must be enabled by adding + <literal>allow-preset-passphrase</literal> in + <filename>~/.gnupg/gpg-agent.conf</filename>. + ''; + }; + + noAutostart = mkOption { + type = types.bool; + default = false; + description = '' + Don't start <command>gpg-agent</command> if it is not running. + Useful in conjunction with starting <command>gpg-agent</command> as + a systemd user service. + ''; + }; + + storeOnly = mkOption { + type = types.bool; + default = false; + description = '' + Don't send the password immediately after login, but store for PAM + <literal>session</literal>. + ''; + }; + }; + text = mkOption { type = types.nullOr types.lines; description = "Contents of the PAM service file."; @@ -386,6 +422,7 @@ let || cfg.enableKwallet || cfg.enableGnomeKeyring || cfg.googleAuthenticator.enable + || cfg.gnupg.enable || cfg.duoSecurity.enable)) '' auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth ${optionalString config.security.pam.enableEcryptfs @@ -397,6 +434,10 @@ let " kwalletd=${pkgs.kdeFrameworks.kwallet.bin}/bin/kwalletd5")} ${optionalString cfg.enableGnomeKeyring "auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so"} + ${optionalString cfg.gnupg.enable + "auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so" + + optionalString cfg.gnupg.storeOnly " store-only" + } ${optionalString cfg.googleAuthenticator.enable "auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"} ${optionalString cfg.duoSecurity.enable @@ -472,6 +513,10 @@ let " kwalletd=${pkgs.kdeFrameworks.kwallet.bin}/bin/kwalletd5")} ${optionalString (cfg.enableGnomeKeyring) "session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"} + ${optionalString cfg.gnupg.enable + "session optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so" + + optionalString cfg.gnupg.noAutostart " no-autostart" + } ${optionalString (config.virtualisation.lxc.lxcfs.enable) "session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all"} ''); |