blob: 6c3c52730863e546029bb5aff423917296c100a2 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
|
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.xserver.displayManager;
gnome3 = config.environment.gnome3.packageSet;
gdm = gnome3.gdm;
in
{
###### interface
options = {
services.xserver.displayManager.gdm = {
enable = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
Whether to enable GDM as the display manager.
<emphasis>GDM is very experimental and may render system unusable.</emphasis>
'';
};
};
};
###### implementation
config = mkIf cfg.gdm.enable {
services.xserver.displayManager.slim.enable = false;
users.extraUsers.gdm =
{ name = "gdm";
uid = config.ids.uids.gdm;
group = "gdm";
home = "/run/gdm";
description = "GDM user";
};
users.extraGroups.gdm.gid = config.ids.gids.gdm;
services.xserver.displayManager.job =
{
environment = {
GDM_X_SERVER = "${cfg.xserverBin} ${cfg.xserverArgs}";
GDM_SESSIONS_DIR = "${cfg.session.desktops}";
XDG_CONFIG_DIRS = "${gnome3.gnome_settings_daemon}/etc/xdg";
# Find the mouse
XCURSOR_PATH = "~/.icons:${config.system.path}/share/icons";
};
execCmd = "exec ${gdm}/bin/gdm";
};
# Because sd_login_monitor_new requires /run/systemd/machines
systemd.services.display-manager.wants = [ "systemd-machined.service" ];
systemd.services.display-manager.after = [ "systemd-machined.service" ];
systemd.services.display-manager.path = [ gnome3.gnome_shell gnome3.caribou pkgs.xlibs.xhost pkgs.dbus_tools ];
services.dbus.packages = [ gdm ];
programs.dconf.profiles.gdm = "${gdm}/share/dconf/profile/gdm";
# GDM LFS PAM modules, adapted somehow to NixOS
security.pam.services = {
gdm-launch-environment.text = ''
auth required pam_succeed_if.so audit quiet_success user = gdm
auth optional pam_permit.so
account required pam_succeed_if.so audit quiet_success user = gdm
account sufficient pam_unix.so
password required pam_deny.so
session required pam_succeed_if.so audit quiet_success user = gdm
session required pam_env.so envfile=${config.system.build.pamEnvironment}
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
session optional pam_keyinit.so force revoke
session optional pam_permit.so
'';
gdm.text = ''
auth requisite pam_nologin.so
auth required pam_env.so
auth required pam_succeed_if.so uid >= 1000 quiet
auth optional ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so
auth ${if config.security.pam.enableEcryptfs then "required" else "sufficient"} pam_unix.so nullok likeauth
${optionalString config.security.pam.enableEcryptfs
"auth required ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
${optionalString (! config.security.pam.enableEcryptfs)
"auth required pam_deny.so"}
account sufficient pam_unix.so
password requisite pam_unix.so nullok sha512
${optionalString config.security.pam.enableEcryptfs
"password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
session required pam_env.so envfile=${config.system.build.pamEnvironment}
session required pam_unix.so
${optionalString config.security.pam.enableEcryptfs
"session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
session required pam_loginuid.so
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
session optional ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start
'';
gdm-password.text = ''
auth requisite pam_nologin.so
auth required pam_env.so envfile=${config.system.build.pamEnvironment}
auth required pam_succeed_if.so uid >= 1000 quiet
auth optional ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so
auth ${if config.security.pam.enableEcryptfs then "required" else "sufficient"} pam_unix.so nullok likeauth
${optionalString config.security.pam.enableEcryptfs
"auth required ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
${optionalString (! config.security.pam.enableEcryptfs)
"auth required pam_deny.so"}
account sufficient pam_unix.so
password requisite pam_unix.so nullok sha512
${optionalString config.security.pam.enableEcryptfs
"password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
session required pam_env.so envfile=${config.system.build.pamEnvironment}
session required pam_unix.so
${optionalString config.security.pam.enableEcryptfs
"session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
session required pam_loginuid.so
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
session optional ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start
'';
gdm-autologin.text = ''
auth requisite pam_nologin.so
auth required pam_succeed_if.so uid >= 1000 quiet
auth required pam_permit.so
account sufficient pam_unix.so
password requisite pam_unix.so nullok sha512
session optional pam_keyinit.so revoke
session required pam_env.so envfile=${config.system.build.pamEnvironment}
session required pam_unix.so
session required pam_loginuid.so
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
'';
};
};
}
|