nixos/modules/programs/shadow.nix at release-16.03-start · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / programs / shadow.nix
at release-16.03-start 2.8 kB view raw
  1# Configuration for the pwdutils suite of tools: passwd, useradd, etc.
  2
  3{ config, lib, pkgs, ... }:
  4
  5with lib;
  6
  7let
  8
  9  loginDefs =
 10    ''
 11      DEFAULT_HOME yes
 12
 13      SYS_UID_MIN  400
 14      SYS_UID_MAX  499
 15      UID_MIN      1000
 16      UID_MAX      29999
 17
 18      SYS_GID_MIN  400
 19      SYS_GID_MAX  499
 20      GID_MIN      1000
 21      GID_MAX      29999
 22
 23      TTYGROUP     tty
 24      TTYPERM      0620
 25
 26      # Ensure privacy for newly created home directories.
 27      UMASK        077
 28
 29      # Uncomment this to allow non-root users to change their account
 30      #information.  This should be made configurable.
 31      #CHFN_RESTRICT frwh
 32
 33    '';
 34
 35in
 36
 37{
 38
 39  ###### interface
 40
 41  options = {
 42
 43    users.defaultUserShell = lib.mkOption {
 44      description = ''
 45        This option defines the default shell assigned to user
 46        accounts.  This must not be a store path, since the path is
 47        used outside the store (in particular in /etc/passwd).
 48        Rather, it should be the path of a symlink that points to the
 49        actual shell in the Nix store.
 50      '';
 51      example = "/run/current-system/sw/bin/zsh";
 52      type = types.path;
 53    };
 54
 55  };
 56
 57
 58  ###### implementation
 59
 60  config = {
 61
 62    environment.systemPackages =
 63      lib.optional config.users.mutableUsers pkgs.shadow;
 64
 65    environment.etc =
 66      [ { # /etc/login.defs: global configuration for pwdutils.  You
 67          # cannot login without it!
 68          source = pkgs.writeText "login.defs" loginDefs;
 69          target = "login.defs";
 70        }
 71
 72        { # /etc/default/useradd: configuration for useradd.
 73          source = pkgs.writeText "useradd"
 74            ''
 75              GROUP=100
 76              HOME=/home
 77              SHELL=${config.users.defaultUserShell}
 78            '';
 79          target = "default/useradd";
 80        }
 81      ];
 82
 83    security.pam.services =
 84      { chsh = { rootOK = true; };
 85        chfn = { rootOK = true; };
 86        su = { rootOK = true; forwardXAuth = true; logFailures = true; };
 87        passwd = {};
 88        # Note: useradd, groupadd etc. aren't setuid root, so it
 89        # doesn't really matter what the PAM config says as long as it
 90        # lets root in.
 91        useradd = { rootOK = true; };
 92        usermod = { rootOK = true; };
 93        userdel = { rootOK = true; };
 94        groupadd = { rootOK = true; };
 95        groupmod = { rootOK = true; };
 96        groupmems = { rootOK = true; };
 97        groupdel = { rootOK = true; };
 98        login = { startSession = true; allowNullPassword = true; showMotd = true; updateWtmp = true; };
 99        chpasswd = { rootOK = true; };
100        chgpasswd = { rootOK = true; };
101      };
102
103    security.setuidPrograms = [ "su" "chfn" ]
104      ++ lib.optionals config.users.mutableUsers
105      [ "passwd" "sg" "newgrp"
106        "newuidmap" "newgidmap" # new in shadow 4.2.x
107      ];
108
109  };
110
111}