diff options
author | Jörg Thalheim <Mic92@users.noreply.github.com> | 2021-08-20 23:23:42 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-08-20 23:23:42 +0100 |
commit | 9b962429be9a6820ec1746a0e6350cfe98cc9bcf (patch) | |
tree | 33646587f73e9dc867f1663ce405b33e2467f1a1 /nixos | |
parent | 628af8a187f756a3c587aabb67fcebff7c262603 (diff) | |
parent | 1645acf1d3e9fc2f9a673e3caca9d5e66ca03827 (diff) | |
download | nixpkgs-9b962429be9a6820ec1746a0e6350cfe98cc9bcf.tar nixpkgs-9b962429be9a6820ec1746a0e6350cfe98cc9bcf.tar.gz nixpkgs-9b962429be9a6820ec1746a0e6350cfe98cc9bcf.tar.bz2 nixpkgs-9b962429be9a6820ec1746a0e6350cfe98cc9bcf.tar.lz nixpkgs-9b962429be9a6820ec1746a0e6350cfe98cc9bcf.tar.xz nixpkgs-9b962429be9a6820ec1746a0e6350cfe98cc9bcf.tar.zst nixpkgs-9b962429be9a6820ec1746a0e6350cfe98cc9bcf.zip |
Merge pull request #133014 from Mic92/fix-pam
nixos: reduce pam files rebuilds on updates
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/config/system-environment.nix | 70 | ||||
-rw-r--r-- | nixos/modules/security/pam.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/wayland/cage.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/x11/display-managers/gdm.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/x11/display-managers/lightdm.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/x11/display-managers/sddm.nix | 2 |
6 files changed, 39 insertions, 41 deletions
diff --git a/nixos/modules/config/system-environment.nix b/nixos/modules/config/system-environment.nix index 4888740ba3d..d2a66b8d932 100644 --- a/nixos/modules/config/system-environment.nix +++ b/nixos/modules/config/system-environment.nix @@ -65,42 +65,40 @@ in }; config = { - - system.build.pamEnvironment = - let - suffixedVariables = - flip mapAttrs cfg.profileRelativeSessionVariables (envVar: suffixes: - flip concatMap cfg.profiles (profile: - map (suffix: "${profile}${suffix}") suffixes - ) - ); - - # We're trying to use the same syntax for PAM variables and env variables. - # That means we need to map the env variables that people might use to their - # equivalent PAM variable. - replaceEnvVars = replaceStrings ["$HOME" "$USER"] ["@{HOME}" "@{PAM_USER}"]; - - pamVariable = n: v: - ''${n} DEFAULT="${concatStringsSep ":" (map replaceEnvVars (toList v))}"''; - - pamVariables = - concatStringsSep "\n" - (mapAttrsToList pamVariable - (zipAttrsWith (n: concatLists) - [ - # Make sure security wrappers are prioritized without polluting - # shell environments with an extra entry. Sessions which depend on - # pam for its environment will otherwise have eg. broken sudo. In - # particular Gnome Shell sometimes fails to source a proper - # environment from a shell. - { PATH = [ config.security.wrapperDir ]; } - - (mapAttrs (n: toList) cfg.sessionVariables) - suffixedVariables - ])); - in - pkgs.writeText "pam-environment" "${pamVariables}\n"; - + environment.etc."pam/environment".text = let + suffixedVariables = + flip mapAttrs cfg.profileRelativeSessionVariables (envVar: suffixes: + flip concatMap cfg.profiles (profile: + map (suffix: "${profile}${suffix}") suffixes + ) + ); + + # We're trying to use the same syntax for PAM variables and env variables. + # That means we need to map the env variables that people might use to their + # equivalent PAM variable. + replaceEnvVars = replaceStrings ["$HOME" "$USER"] ["@{HOME}" "@{PAM_USER}"]; + + pamVariable = n: v: + ''${n} DEFAULT="${concatStringsSep ":" (map replaceEnvVars (toList v))}"''; + + pamVariables = + concatStringsSep "\n" + (mapAttrsToList pamVariable + (zipAttrsWith (n: concatLists) + [ + # Make sure security wrappers are prioritized without polluting + # shell environments with an extra entry. Sessions which depend on + # pam for its environment will otherwise have eg. broken sudo. In + # particular Gnome Shell sometimes fails to source a proper + # environment from a shell. + { PATH = [ config.security.wrapperDir ]; } + + (mapAttrs (n: toList) cfg.sessionVariables) + suffixedVariables + ])); + in '' + ${pamVariables} + ''; }; } diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 5400ba1ef98..163d75d7caf 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -475,7 +475,7 @@ let # Session management. ${optionalString cfg.setEnvironment '' - session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0 + session required pam_env.so conffile=/etc/pam/environment readenv=0 ''} session required pam_unix.so ${optionalString cfg.setLoginUid diff --git a/nixos/modules/services/wayland/cage.nix b/nixos/modules/services/wayland/cage.nix index 2e71abb69fc..bd97a674eb8 100644 --- a/nixos/modules/services/wayland/cage.nix +++ b/nixos/modules/services/wayland/cage.nix @@ -82,7 +82,7 @@ in { auth required pam_unix.so nullok account required pam_unix.so session required pam_unix.so - session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0 + session required pam_env.so conffile=/etc/pam/environment readenv=0 session required ${pkgs.systemd}/lib/security/pam_systemd.so ''; diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index 0f7941364d2..5c4c6c67fd0 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -314,7 +314,7 @@ in password required pam_deny.so session required pam_succeed_if.so audit quiet_success user = gdm - session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0 + session required pam_env.so conffile=/etc/pam/environment readenv=0 session optional ${pkgs.systemd}/lib/security/pam_systemd.so session optional pam_keyinit.so force revoke session optional pam_permit.so diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix index 945222296fa..41c1b635f5d 100644 --- a/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixos/modules/services/x11/display-managers/lightdm.nix @@ -284,7 +284,7 @@ in password required pam_deny.so session required pam_succeed_if.so audit quiet_success user = lightdm - session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0 + session required pam_env.so conffile=/etc/pam/environment readenv=0 session optional ${pkgs.systemd}/lib/security/pam_systemd.so session optional pam_keyinit.so force revoke session optional pam_permit.so diff --git a/nixos/modules/services/x11/display-managers/sddm.nix b/nixos/modules/services/x11/display-managers/sddm.nix index 116994db1c1..d79b3cda2fc 100644 --- a/nixos/modules/services/x11/display-managers/sddm.nix +++ b/nixos/modules/services/x11/display-managers/sddm.nix @@ -229,7 +229,7 @@ in password required pam_deny.so session required pam_succeed_if.so audit quiet_success user = sddm - session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0 + session required pam_env.so conffile=/etc/pam/environment readenv=0 session optional ${pkgs.systemd}/lib/security/pam_systemd.so session optional pam_keyinit.so force revoke session optional pam_permit.so |