pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / x11 / display-managers / gdm.nix
at 15.09-beta 6.0 kB view raw
1{ config, lib, pkgs, ... }: 2 3with lib; 4 5let 6 7 cfg = config.services.xserver.displayManager; 8 gnome3 = config.environment.gnome3.packageSet; 9 gdm = gnome3.gdm; 10 11in 12 13{ 14 15 ###### interface 16 17 options = { 18 19 services.xserver.displayManager.gdm = { 20 21 enable = mkOption { 22 type = types.bool; 23 default = false; 24 example = true; 25 description = '' 26 Whether to enable GDM as the display manager. 27 <emphasis>GDM is very experimental and may render system unusable.</emphasis> 28 ''; 29 }; 30 31 }; 32 33 }; 34 35 36 ###### implementation 37 38 config = mkIf cfg.gdm.enable { 39 40 services.xserver.displayManager.slim.enable = false; 41 42 users.extraUsers.gdm = 43 { name = "gdm"; 44 uid = config.ids.uids.gdm; 45 group = "gdm"; 46 home = "/run/gdm"; 47 description = "GDM user"; 48 }; 49 50 users.extraGroups.gdm.gid = config.ids.gids.gdm; 51 52 services.xserver.displayManager.job = 53 { 54 environment = { 55 GDM_X_SERVER = "${cfg.xserverBin} ${cfg.xserverArgs}"; 56 GDM_SESSIONS_DIR = "${cfg.session.desktops}"; 57 XDG_CONFIG_DIRS = "${gnome3.gnome_settings_daemon}/etc/xdg"; 58 # Find the mouse 59 XCURSOR_PATH = "~/.icons:${config.system.path}/share/icons"; 60 }; 61 execCmd = "exec ${gdm}/bin/gdm"; 62 }; 63 64 # Because sd_login_monitor_new requires /run/systemd/machines 65 systemd.services.display-manager.wants = [ "systemd-machined.service" ]; 66 systemd.services.display-manager.after = [ "systemd-machined.service" ]; 67 68 systemd.services.display-manager.path = [ gnome3.gnome_shell gnome3.caribou pkgs.xlibs.xhost pkgs.dbus_tools ]; 69 70 services.dbus.packages = [ gdm ]; 71 72 programs.dconf.profiles.gdm = "${gdm}/share/dconf/profile/gdm"; 73 74 # GDM LFS PAM modules, adapted somehow to NixOS 75 security.pam.services = { 76 gdm-launch-environment.text = '' 77 auth required pam_succeed_if.so audit quiet_success user = gdm 78 auth optional pam_permit.so 79 80 account required pam_succeed_if.so audit quiet_success user = gdm 81 account sufficient pam_unix.so 82 83 password required pam_deny.so 84 85 session required pam_succeed_if.so audit quiet_success user = gdm 86 session required pam_env.so envfile=${config.system.build.pamEnvironment} 87 session optional ${pkgs.systemd}/lib/security/pam_systemd.so 88 session optional pam_keyinit.so force revoke 89 session optional pam_permit.so 90 ''; 91 92 gdm.text = '' 93 auth requisite pam_nologin.so 94 auth required pam_env.so 95 96 auth required pam_succeed_if.so uid >= 1000 quiet 97 auth optional ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so 98 auth ${if config.security.pam.enableEcryptfs then "required" else "sufficient"} pam_unix.so nullok likeauth 99 ${optionalString config.security.pam.enableEcryptfs 100 "auth required ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} 101 102 ${optionalString (! config.security.pam.enableEcryptfs) 103 "auth required pam_deny.so"} 104 105 account sufficient pam_unix.so 106 107 password requisite pam_unix.so nullok sha512 108 ${optionalString config.security.pam.enableEcryptfs 109 "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} 110 111 session required pam_env.so envfile=${config.system.build.pamEnvironment} 112 session required pam_unix.so 113 ${optionalString config.security.pam.enableEcryptfs 114 "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} 115 session required pam_loginuid.so 116 session optional ${pkgs.systemd}/lib/security/pam_systemd.so 117 session optional ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start 118 ''; 119 120 gdm-password.text = '' 121 auth requisite pam_nologin.so 122 auth required pam_env.so envfile=${config.system.build.pamEnvironment} 123 124 auth required pam_succeed_if.so uid >= 1000 quiet 125 auth optional ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so 126 auth ${if config.security.pam.enableEcryptfs then "required" else "sufficient"} pam_unix.so nullok likeauth 127 ${optionalString config.security.pam.enableEcryptfs 128 "auth required ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} 129 ${optionalString (! config.security.pam.enableEcryptfs) 130 "auth required pam_deny.so"} 131 132 account sufficient pam_unix.so 133 134 password requisite pam_unix.so nullok sha512 135 ${optionalString config.security.pam.enableEcryptfs 136 "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} 137 138 session required pam_env.so envfile=${config.system.build.pamEnvironment} 139 session required pam_unix.so 140 ${optionalString config.security.pam.enableEcryptfs 141 "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} 142 session required pam_loginuid.so 143 session optional ${pkgs.systemd}/lib/security/pam_systemd.so 144 session optional ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start 145 ''; 146 147 gdm-autologin.text = '' 148 auth requisite pam_nologin.so 149 150 auth required pam_succeed_if.so uid >= 1000 quiet 151 auth required pam_permit.so 152 153 account sufficient pam_unix.so 154 155 password requisite pam_unix.so nullok sha512 156 157 session optional pam_keyinit.so revoke 158 session required pam_env.so envfile=${config.system.build.pamEnvironment} 159 session required pam_unix.so 160 session required pam_loginuid.so 161 session optional ${pkgs.systemd}/lib/security/pam_systemd.so 162 ''; 163 164 }; 165 166 }; 167 168}