nixos/modules/programs/shadow.nix at 18.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / programs / shadow.nix
at 18.09-beta 3.2 kB view raw
  1# Configuration for the pwdutils suite of tools: passwd, useradd, etc.
  2
  3{ config, lib, utils, pkgs, ... }:
  4
  5with lib;
  6
  7let
  8
  9  loginDefs =
 10    ''
 11      DEFAULT_HOME yes
 12
 13      SYS_UID_MIN  400
 14      SYS_UID_MAX  499
 15      UID_MIN      1000
 16      UID_MAX      29999
 17
 18      SYS_GID_MIN  400
 19      SYS_GID_MAX  499
 20      GID_MIN      1000
 21      GID_MAX      29999
 22
 23      TTYGROUP     tty
 24      TTYPERM      0620
 25
 26      # Ensure privacy for newly created home directories.
 27      UMASK        077
 28
 29      # Uncomment this and install chfn SUID to allow non-root
 30      # users to change their account GECOS information.
 31      # This should be made configurable.
 32      #CHFN_RESTRICT frwh
 33
 34    '';
 35
 36in
 37
 38{
 39
 40  ###### interface
 41
 42  options = {
 43
 44    users.defaultUserShell = lib.mkOption {
 45      description = ''
 46        This option defines the default shell assigned to user
 47        accounts. This can be either a full system path or a shell package.
 48
 49        This must not be a store path, since the path is
 50        used outside the store (in particular in /etc/passwd).
 51      '';
 52      example = literalExample "pkgs.zsh";
 53      type = types.either types.path types.shellPackage;
 54    };
 55
 56  };
 57
 58
 59  ###### implementation
 60
 61  config = {
 62
 63    environment.systemPackages =
 64      lib.optional config.users.mutableUsers pkgs.shadow ++
 65      lib.optional (types.shellPackage.check config.users.defaultUserShell)
 66        config.users.defaultUserShell;
 67
 68    environment.etc =
 69      [ { # /etc/login.defs: global configuration for pwdutils.  You
 70          # cannot login without it!
 71          source = pkgs.writeText "login.defs" loginDefs;
 72          target = "login.defs";
 73        }
 74
 75        { # /etc/default/useradd: configuration for useradd.
 76          source = pkgs.writeText "useradd"
 77            ''
 78              GROUP=100
 79              HOME=/home
 80              SHELL=${utils.toShellPath config.users.defaultUserShell}
 81            '';
 82          target = "default/useradd";
 83        }
 84      ];
 85
 86    security.pam.services =
 87      { chsh = { rootOK = true; };
 88        chfn = { rootOK = true; };
 89        su = { rootOK = true; forwardXAuth = true; logFailures = true; };
 90        passwd = {};
 91        # Note: useradd, groupadd etc. aren't setuid root, so it
 92        # doesn't really matter what the PAM config says as long as it
 93        # lets root in.
 94        useradd = { rootOK = true; };
 95        usermod = { rootOK = true; };
 96        userdel = { rootOK = true; };
 97        groupadd = { rootOK = true; };
 98        groupmod = { rootOK = true; };
 99        groupmems = { rootOK = true; };
100        groupdel = { rootOK = true; };
101        login = { startSession = true; allowNullPassword = true; showMotd = true; updateWtmp = true; };
102        chpasswd = { rootOK = true; };
103      };
104
105    security.wrappers = {
106      su.source        = "${pkgs.shadow.su}/bin/su";
107      sg.source        = "${pkgs.shadow.out}/bin/sg";
108      newgrp.source    = "${pkgs.shadow.out}/bin/newgrp";
109      newuidmap.source = "${pkgs.shadow.out}/bin/newuidmap";
110      newgidmap.source = "${pkgs.shadow.out}/bin/newgidmap";
111    } // (if config.users.mutableUsers then {
112      passwd.source    = "${pkgs.shadow.out}/bin/passwd";
113    } else {});
114  };
115}