summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--nixos/modules/config/i18n.nix2
-rw-r--r--nixos/modules/config/shells-environment.nix1
-rw-r--r--nixos/modules/config/system-environment.nix56
-rw-r--r--nixos/modules/config/timezone.nix2
-rw-r--r--nixos/modules/module-list.nix1
-rw-r--r--nixos/modules/programs/environment.nix9
-rw-r--r--nixos/modules/security/ca.nix8
-rw-r--r--nixos/modules/security/pam.nix1
-rw-r--r--nixos/modules/security/sudo.nix3
-rw-r--r--nixos/modules/services/misc/nix-daemon.nix2
10 files changed, 73 insertions, 12 deletions
diff --git a/nixos/modules/config/i18n.nix b/nixos/modules/config/i18n.nix
index 8182b8ae808..7a7d713ef68 100644
--- a/nixos/modules/config/i18n.nix
+++ b/nixos/modules/config/i18n.nix
@@ -76,7 +76,7 @@ in
 
     environment.systemPackages = [ glibcLocales ];
 
-    environment.variables =
+    environment.systemVariables =
       { LANG = config.i18n.defaultLocale;
         LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
       };
diff --git a/nixos/modules/config/shells-environment.nix b/nixos/modules/config/shells-environment.nix
index 9e212847e48..e3ddf9e3c5f 100644
--- a/nixos/modules/config/shells-environment.nix
+++ b/nixos/modules/config/shells-environment.nix
@@ -19,6 +19,7 @@ in
       default = {};
       description = ''
         A set of environment variables used in the global environment.
+        These variables will be set on shell initialisation.
         The value of each variable can be either a string or a list of
         strings.  The latter is concatenated, interspersed with colon
         characters.
diff --git a/nixos/modules/config/system-environment.nix b/nixos/modules/config/system-environment.nix
new file mode 100644
index 00000000000..b30c4e06475
--- /dev/null
+++ b/nixos/modules/config/system-environment.nix
@@ -0,0 +1,56 @@
+# This module defines a system-wide environment that will be
+# initialised by pam_env (that is, not only in shells).
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.environment;
+
+in
+
+{
+
+  options = {
+
+    environment.systemVariables = mkOption {
+      default = {};
+      description = ''
+        A set of environment variables used in the global environment.
+        These variables will be set by PAM.
+        The value of each variable can be either a string or a list of
+        strings.  The latter is concatenated, interspersed with colon
+        characters.
+      '';
+      type = types.attrsOf (mkOptionType {
+        name = "a string or a list of strings";
+        merge = loc: defs:
+          let
+            defs' = filterOverrides defs;
+            res = (head defs').value;
+          in
+          if isList res then concatLists (getValues defs')
+          else if lessThan 1 (length defs') then
+            throw "The option `${showOption loc}' is defined multiple times, in ${showFiles (getFiles defs)}."
+          else if !isString res then
+            throw "The option `${showOption loc}' does not have a string value, in ${showFiles (getFiles defs)}."
+          else res;
+      });
+      apply = mapAttrs (n: v: if isList v then concatStringsSep ":" v else v);
+    };
+
+  };
+
+  config = {
+
+    system.build.pamEnvironment = pkgs.writeText "pam-environment"
+       ''
+         ${concatStringsSep "\n" (
+           (mapAttrsToList (n: v: ''${n}="${concatStringsSep ":" v}"'')
+             (zipAttrsWith (const concatLists) ([ (mapAttrs (n: v: [ v ]) cfg.systemVariables) ]))))}
+       '';
+
+  };
+
+}
diff --git a/nixos/modules/config/timezone.nix b/nixos/modules/config/timezone.nix
index 65703d8bb08..4f7fc9ab262 100644
--- a/nixos/modules/config/timezone.nix
+++ b/nixos/modules/config/timezone.nix
@@ -30,7 +30,7 @@ in
 
   config = {
 
-    environment.variables.TZDIR = "/etc/zoneinfo";
+    environment.systemVariables.TZDIR = "/etc/zoneinfo";
 
     systemd.globalEnvironment.TZDIR = tzdir;
 
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 4ceb48989be..a6e0e018669 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -14,6 +14,7 @@
   ./config/power-management.nix
   ./config/pulseaudio.nix
   ./config/shells-environment.nix
+  ./config/system-environment.nix
   ./config/swap.nix
   ./config/sysctl.nix
   ./config/system-path.nix
diff --git a/nixos/modules/programs/environment.nix b/nixos/modules/programs/environment.nix
index aa9aec07834..c26c962b20a 100644
--- a/nixos/modules/programs/environment.nix
+++ b/nixos/modules/programs/environment.nix
@@ -19,13 +19,16 @@ in
     environment.variables =
       { LOCATE_PATH = "/var/cache/locatedb";
         NIXPKGS_CONFIG = "/etc/nix/nixpkgs-config.nix";
-        NIX_PATH =
+        PAGER = "less -R";
+        EDITOR = "nano";
+      };
+
+    environment.systemVariables =
+      { NIX_PATH =
           [ "/nix/var/nix/profiles/per-user/root/channels/nixos"
             "nixpkgs=/etc/nixos/nixpkgs"
             "nixos-config=/etc/nixos/configuration.nix"
           ];
-        PAGER = "less -R";
-        EDITOR = "nano";
       };
 
     environment.profiles =
diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix
index f159e359f96..57764dc870f 100644
--- a/nixos/modules/security/ca.nix
+++ b/nixos/modules/security/ca.nix
@@ -12,9 +12,11 @@ with lib;
         }
       ];
 
-    environment.variables.OPENSSL_X509_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt";
-    environment.variables.CURL_CA_BUNDLE = "/etc/ssl/certs/ca-bundle.crt";
-    environment.variables.GIT_SSL_CAINFO = "/etc/ssl/certs/ca-bundle.crt";
+    environment.systemVariables =
+      { OPENSSL_X509_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt";
+        CURL_CA_BUNDLE         = "/etc/ssl/certs/ca-bundle.crt";
+        GIT_SSL_CAINFO         = "/etc/ssl/certs/ca-bundle.crt";
+      };
 
   };
 
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index 6a5eb4c720f..02340fd78e8 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -186,6 +186,7 @@ let
               "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"}
 
           # Session management.
+          session required pam_env.so envfile=${config.system.build.pamEnvironment}
           session required pam_unix.so
           ${optionalString cfg.setLoginUid
               "session required pam_loginuid.so"}
diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix
index cce1e785563..e8ed545c8cc 100644
--- a/nixos/modules/security/sudo.nix
+++ b/nixos/modules/security/sudo.nix
@@ -58,9 +58,6 @@ in
         # Don't edit this file. Set the NixOS option ‘security.sudo.configFile’ instead.
 
         # Environment variables to keep for root and %wheel.
-        Defaults:root,%wheel env_keep+=LOCALE_ARCHIVE
-        Defaults:root,%wheel env_keep+=NIX_CONF_DIR
-        Defaults:root,%wheel env_keep+=NIX_PATH
         Defaults:root,%wheel env_keep+=TERMINFO_DIRS
         Defaults:root,%wheel env_keep+=TERMINFO
 
diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix
index 4bfd6268234..f373657b791 100644
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@@ -318,7 +318,7 @@ in
       };
 
     # Set up the environment variables for running Nix.
-    environment.variables = cfg.envVars;
+    environment.systemVariables = cfg.envVars;
 
     environment.extraInit =
       ''
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-23 21:06:25 +0000