nixos/modules/programs/shadow.nix at 16.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / programs / shadow.nix
at 16.09-beta 3.0 kB view raw
  1# Configuration for the pwdutils suite of tools: passwd, useradd, etc.
  2
  3{ config, lib, utils, pkgs, ... }:
  4
  5with lib;
  6
  7let
  8
  9  loginDefs =
 10    ''
 11      DEFAULT_HOME yes
 12
 13      SYS_UID_MIN  400
 14      SYS_UID_MAX  499
 15      UID_MIN      1000
 16      UID_MAX      29999
 17
 18      SYS_GID_MIN  400
 19      SYS_GID_MAX  499
 20      GID_MIN      1000
 21      GID_MAX      29999
 22
 23      TTYGROUP     tty
 24      TTYPERM      0620
 25
 26      # Ensure privacy for newly created home directories.
 27      UMASK        077
 28
 29      # Uncomment this to allow non-root users to change their account
 30      #information.  This should be made configurable.
 31      #CHFN_RESTRICT frwh
 32
 33    '';
 34
 35in
 36
 37{
 38
 39  ###### interface
 40
 41  options = {
 42
 43    users.defaultUserShell = lib.mkOption {
 44      description = ''
 45        This option defines the default shell assigned to user
 46        accounts. This can be either a full system path or a shell package.
 47
 48        This must not be a store path, since the path is
 49        used outside the store (in particular in /etc/passwd).
 50      '';
 51      example = literalExample "pkgs.zsh";
 52      type = types.either types.path types.shellPackage;
 53    };
 54
 55  };
 56
 57
 58  ###### implementation
 59
 60  config = {
 61
 62    environment.systemPackages =
 63      lib.optional config.users.mutableUsers pkgs.shadow ++
 64      lib.optional (types.shellPackage.check config.users.defaultUserShell)
 65        config.users.defaultUserShell;
 66
 67    environment.etc =
 68      [ { # /etc/login.defs: global configuration for pwdutils.  You
 69          # cannot login without it!
 70          source = pkgs.writeText "login.defs" loginDefs;
 71          target = "login.defs";
 72        }
 73
 74        { # /etc/default/useradd: configuration for useradd.
 75          source = pkgs.writeText "useradd"
 76            ''
 77              GROUP=100
 78              HOME=/home
 79              SHELL=${utils.toShellPath config.users.defaultUserShell}
 80            '';
 81          target = "default/useradd";
 82        }
 83      ];
 84
 85    security.pam.services =
 86      { chsh = { rootOK = true; };
 87        chfn = { rootOK = true; };
 88        su = { rootOK = true; forwardXAuth = true; logFailures = true; };
 89        passwd = {};
 90        # Note: useradd, groupadd etc. aren't setuid root, so it
 91        # doesn't really matter what the PAM config says as long as it
 92        # lets root in.
 93        useradd = { rootOK = true; };
 94        usermod = { rootOK = true; };
 95        userdel = { rootOK = true; };
 96        groupadd = { rootOK = true; };
 97        groupmod = { rootOK = true; };
 98        groupmems = { rootOK = true; };
 99        groupdel = { rootOK = true; };
100        login = { startSession = true; allowNullPassword = true; showMotd = true; updateWtmp = true; };
101        chpasswd = { rootOK = true; };
102        chgpasswd = { rootOK = true; };
103      };
104
105    security.setuidPrograms = [ "su" "chfn" ]
106      ++ [ "newuidmap" "newgidmap" ] # new in shadow 4.2.x
107      ++ lib.optionals config.users.mutableUsers
108      [ "passwd" "sg" "newgrp" ];
109
110  };
111
112}