commit 05420f34cf7b8eb6acb1e18d918b1a9a78762473 · pyrox.dev/nixpkgs

nixos/modules/module-list.nix

···

       1276
       1276
        
         ./system/boot/systemd/tmpfiles.nix

     

       1277
       1277
        
         ./system/boot/systemd/user.nix

     

       1278
       1278
        
         ./system/boot/systemd/userdbd.nix

     

       1279
       1279
       +
         ./system/boot/systemd/homed.nix

     

       1279
       1280
        
         ./system/boot/timesyncd.nix

     

       1280
       1281
        
         ./system/boot/tmp.nix

     

       1281
       1282
        
         ./system/boot/uvesafb.nix

+24 -3

nixos/modules/security/pam.nix

···

       488
       488
        
                   account [success=ok ignore=ignore default=die] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so

     

       489
       489
        
                   account [success=ok default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so

     

       490
       490
        
                 '' +

     

       491
       491
       +
                 optionalString config.services.homed.enable ''

     

       492
       492
       +
                   account sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so

     

       493
       493
       +
                 '' +

     

       491
       494
        
                 # The required pam_unix.so module has to come after all the sufficient modules

     

       492
       495
        
                 # because otherwise, the account lookup will fail if the user does not exist

     

       493
       496
        
                 # locally, for example with MySQL- or LDAP-auth.

     
···

       541
       544
        
                 # after it succeeds. Certain modules need to run after pam_unix

     

       542
       545
        
                 # prompts the user for password so we run it once with 'optional' at an

     

       543
       546
        
                 # earlier point and it will run again with 'sufficient' further down.

     

       544
       544
       -
                 # We use try_first_pass the second time to avoid prompting password twice

     

       545
       545
       -
                 (optionalString (cfg.unixAuth &&

     

       547
       547
       +
                 # We use try_first_pass the second time to avoid prompting password twice.

     

       548
       548
       +
                 #

     

       549
       549
       +
                 # The same principle applies to systemd-homed

     

       550
       550
       +
                 (optionalString ((cfg.unixAuth || config.services.homed.enable) &&

     

       546
       551
        
                   (config.security.pam.enableEcryptfs

     

       547
       552
        
                     || config.security.pam.enableFscrypt

     

       548
       553
        
                     || cfg.pamMount

     
···

       553
       558
        
                     || cfg.failDelay.enable

     

       554
       559
        
                     || cfg.duoSecurity.enable))

     

       555
       560
        
                   (

     

       556
       556
       -
                     ''

     

       561
       561
       +
                     optionalString config.services.homed.enable ''

     

       562
       562
       +
                       auth optional ${config.systemd.package}/lib/security/pam_systemd_home.so

     

       563
       563
       +
                     '' +

     

       564
       564
       +
                     optionalString cfg.unixAuth ''

     

       557
       565
        
                       auth optional pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth

     

       558
       566
        
                     '' +

     

       559
       567
        
                     optionalString config.security.pam.enableEcryptfs ''

     
···

       584
       592
        
                       auth required ${pkgs.duo-unix}/lib/security/pam_duo.so

     

       585
       593
        
                     ''

     

       586
       594
        
                   )) +

     

       595
       595
       +
                 optionalString config.services.homed.enable ''

     

       596
       596
       +
                   auth sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so

     

       597
       597
       +
                 '' +

     

       587
       598
        
                 optionalString cfg.unixAuth ''

     

       588
       599
        
                   auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass

     

       589
       600
        
                 '' +

     
···

       605
       616
        
                   auth required pam_deny.so

     

       606
       617
        
       

     

       607
       618
        
                   # Password management.

     

       619
       619
       +
                 '' +

     

       620
       620
       +
                 optionalString config.services.homed.enable ''

     

       621
       621
       +
                   password sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so

     

       622
       622
       +
                 '' + ''

     

       608
       623
        
                   password sufficient pam_unix.so nullok sha512

     

       609
       624
        
                 '' +

     

       610
       625
        
                 optionalString config.security.pam.enableEcryptfs ''

     
···

       650
       665
        
                 ++ optional (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}"

     

       651
       666
        
                 ++ optional (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}"

     

       652
       667
        
                 )) +

     

       668
       668
       +
                 optionalString config.services.homed.enable ''

     

       669
       669
       +
                   session required ${config.systemd.package}/lib/security/pam_systemd_home.so

     

       670
       670
       +
                 '' +

     

       653
       671
        
                 optionalString cfg.makeHomeDir ''

     

       654
       672
        
                   session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0077

     

       655
       673
        
                 '' +

     
···

       1345
       1363
        
             '' +

     

       1346
       1364
        
             optionalString config.virtualisation.lxc.lxcfs.enable ''

     

       1347
       1365
        
               mr ${pkgs.lxc}/lib/security/pam_cgfs.so

     

       1366
       1366
       +
             '' +

     

       1367
       1367
       +
             optionalString config.services.homed.enable ''

     

       1368
       1368
       +
               mr ${config.systemd.package}/lib/security/pam_systemd_home.so

     

       1348
       1369
        
             '';

     

       1349
       1370
        
         };

     

       1350
       1371

+1 -1

nixos/modules/system/boot/systemd.nix

···

       450
       450
        
               (mkAfter [ "systemd" ])

     

       451
       451
        
             ]);

     

       452
       452
        
             group = (mkMerge [

     

       453
       453
       -
               (mkAfter [ "systemd" ])

     

       453
       453
       +
               (mkAfter [ "[success=merge] systemd" ]) # need merge so that NSS won't stop at file-based groups

     

       454
       454
        
             ]);

     

       455
       455
        
           };

     

       456
       456

+43

nixos/modules/system/boot/systemd/homed.nix

···

       1
       1
       +
       { config, lib, pkgs, ... }:

     

       2
       2
       +
       

     

       3
       3
       +
       let

     

       4
       4
       +
         cfg = config.services.homed;

     

       5
       5
       +
       in

     

       6
       6
       +
       {

     

       7
       7
       +
         options.services.homed.enable = lib.mkEnableOption (lib.mdDoc ''

     

       8
       8
       +
           Enable systemd home area/user account manager

     

       9
       9
       +
         '');

     

       10
       10
       +
       

     

       11
       11
       +
         config = lib.mkIf cfg.enable {

     

       12
       12
       +
           assertions = [

     

       13
       13
       +
             {

     

       14
       14
       +
               assertion = config.services.nscd.enable;

     

       15
       15
       +
               message = "systemd-homed requires the use of systemd nss module. services.nscd.enable must be set to true,";

     

       16
       16
       +
             }

     

       17
       17
       +
           ];

     

       18
       18
       +
       

     

       19
       19
       +
           systemd.additionalUpstreamSystemUnits = [

     

       20
       20
       +
             "systemd-homed.service"

     

       21
       21
       +
             "systemd-homed-activate.service"

     

       22
       22
       +
           ];

     

       23
       23
       +
       

     

       24
       24
       +
           # This is mentioned in homed's [Install] section.

     

       25
       25
       +
           #

     

       26
       26
       +
           # While homed appears to work without it, it's probably better

     

       27
       27
       +
           # to follow upstream recommendations.

     

       28
       28
       +
           services.userdbd.enable = lib.mkDefault true;

     

       29
       29
       +
       

     

       30
       30
       +
           systemd.services = {

     

       31
       31
       +
             systemd-homed = {

     

       32
       32
       +
               # These packages are required to manage encrypted volumes

     

       33
       33
       +
               path = config.system.fsPackages;

     

       34
       34
       +
               aliases = [ "dbus-org.freedesktop.home1.service" ];

     

       35
       35
       +
               wantedBy = [ "multi-user.target" ];

     

       36
       36
       +
             };

     

       37
       37
       +
       

     

       38
       38
       +
             systemd-homed-activate = {

     

       39
       39
       +
               wantedBy = [ "systemd-homed.service" ];

     

       40
       40
       +
             };

     

       41
       41
       +
           };

     

       42
       42
       +
         };

     

       43
       43
       +
       }

nixos/tests/all-tests.nix

···

       637
       637
        
         systemd-timesyncd = handleTest ./systemd-timesyncd.nix {};

     

       638
       638
        
         systemd-misc = handleTest ./systemd-misc.nix {};

     

       639
       639
        
         systemd-userdbd = handleTest ./systemd-userdbd.nix {};

     

       640
       640
       +
         systemd-homed = handleTest ./systemd-homed.nix {};

     

       640
       641
        
         tandoor-recipes = handleTest ./tandoor-recipes.nix {};

     

       641
       642
        
         taskserver = handleTest ./taskserver.nix {};

     

       642
       643
        
         tayga = handleTest ./tayga.nix {};

+99

nixos/tests/systemd-homed.nix

···

       1
       1
       +
       import ./make-test-python.nix ({ pkgs, lib, ... }:

     

       2
       2
       +
       let

     

       3
       3
       +
         password = "foobar";

     

       4
       4
       +
         newPass = "barfoo";

     

       5
       5
       +
       in

     

       6
       6
       +
       {

     

       7
       7
       +
         name = "systemd-homed";

     

       8
       8
       +
         nodes.machine = { config, pkgs, ... }: {

     

       9
       9
       +
           services.homed.enable = true;

     

       10
       10
       +
       

     

       11
       11
       +
           users.users.test-normal-user = {

     

       12
       12
       +
             extraGroups = [ "wheel" ];

     

       13
       13
       +
             isNormalUser = true;

     

       14
       14
       +
             initialPassword = password;

     

       15
       15
       +
           };

     

       16
       16
       +
         };

     

       17
       17
       +
         testScript = ''

     

       18
       18
       +
           def switchTTY(number):

     

       19
       19
       +
             machine.send_key(f"alt-f{number}")

     

       20
       20
       +
             machine.wait_until_succeeds(f"[ $(fgconsole) = {number} ]")

     

       21
       21
       +
             machine.wait_for_unit(f"getty@tty{number}.service")

     

       22
       22
       +
             machine.wait_until_succeeds(f"pgrep -f 'agetty.*tty{number}'")

     

       23
       23
       +
       

     

       24
       24
       +
           machine.wait_for_unit("multi-user.target")

     

       25
       25
       +
       

     

       26
       26
       +
           # Smoke test to make sure the pam changes didn't break regular users.

     

       27
       27
       +
           machine.wait_until_succeeds("pgrep -f 'agetty.*tty1'")

     

       28
       28
       +
           with subtest("login as regular user"):

     

       29
       29
       +
             switchTTY(2)

     

       30
       30
       +
             machine.wait_until_tty_matches("2", "login: ")

     

       31
       31
       +
             machine.send_chars("test-normal-user\n")

     

       32
       32
       +
             machine.wait_until_tty_matches("2", "login: test-normal-user")

     

       33
       33
       +
             machine.wait_until_tty_matches("2", "Password: ")

     

       34
       34
       +
             machine.send_chars("${password}\n")

     

       35
       35
       +
             machine.wait_until_succeeds("pgrep -u test-normal-user bash")

     

       36
       36
       +
             machine.send_chars("whoami > /tmp/1\n")

     

       37
       37
       +
             machine.wait_for_file("/tmp/1")

     

       38
       38
       +
             assert "test-normal-user" in machine.succeed("cat /tmp/1")

     

       39
       39
       +
       

     

       40
       40
       +
           with subtest("create homed encrypted user"):

     

       41
       41
       +
             # TODO: Figure out how to pass password manually.

     

       42
       42
       +
             #

     

       43
       43
       +
             # This environment variable is used for homed internal testing

     

       44
       44
       +
             # and is not documented.

     

       45
       45
       +
             machine.succeed("NEWPASSWORD=${password} homectl create --shell=/run/current-system/sw/bin/bash --storage=luks -G wheel test-homed-user")

     

       46
       46
       +
       

     

       47
       47
       +
           with subtest("login as homed user"):

     

       48
       48
       +
             switchTTY(3)

     

       49
       49
       +
             machine.wait_until_tty_matches("3", "login: ")

     

       50
       50
       +
             machine.send_chars("test-homed-user\n")

     

       51
       51
       +
             machine.wait_until_tty_matches("3", "login: test-homed-user")

     

       52
       52
       +
             machine.wait_until_tty_matches("3", "Password: ")

     

       53
       53
       +
             machine.send_chars("${password}\n")

     

       54
       54
       +
             machine.wait_until_succeeds("pgrep -t tty3 -u test-homed-user bash")

     

       55
       55
       +
             machine.send_chars("whoami > /tmp/2\n")

     

       56
       56
       +
             machine.wait_for_file("/tmp/2")

     

       57
       57
       +
             assert "test-homed-user" in machine.succeed("cat /tmp/2")

     

       58
       58
       +
       

     

       59
       59
       +
           with subtest("change homed user password"):

     

       60
       60
       +
             switchTTY(4)

     

       61
       61
       +
             machine.wait_until_tty_matches("4", "login: ")

     

       62
       62
       +
             machine.send_chars("test-homed-user\n")

     

       63
       63
       +
             machine.wait_until_tty_matches("4", "login: test-homed-user")

     

       64
       64
       +
             machine.wait_until_tty_matches("4", "Password: ")

     

       65
       65
       +
             machine.send_chars("${password}\n")

     

       66
       66
       +
             machine.wait_until_succeeds("pgrep -t tty4 -u test-homed-user bash")

     

       67
       67
       +
             machine.send_chars("passwd\n")

     

       68
       68
       +
             # homed does it in a weird order, it asks for new passes, then it asks

     

       69
       69
       +
             # for the old one.

     

       70
       70
       +
             machine.sleep(2)

     

       71
       71
       +
             machine.send_chars("${newPass}\n")

     

       72
       72
       +
             machine.sleep(2)

     

       73
       73
       +
             machine.send_chars("${newPass}\n")

     

       74
       74
       +
             machine.sleep(4)

     

       75
       75
       +
             machine.send_chars("${password}\n")

     

       76
       76
       +
             machine.wait_until_fails("pgrep -t tty4 passwd")

     

       77
       77
       +
       

     

       78
       78
       +
             @polling_condition

     

       79
       79
       +
             def not_logged_in_tty5():

     

       80
       80
       +
               machine.fail("pgrep -t tty5 bash")

     

       81
       81
       +
       

     

       82
       82
       +
             switchTTY(5)

     

       83
       83
       +
             with not_logged_in_tty5: # type: ignore[union-attr]

     

       84
       84
       +
               machine.wait_until_tty_matches("5", "login: ")

     

       85
       85
       +
               machine.send_chars("test-homed-user\n")

     

       86
       86
       +
               machine.wait_until_tty_matches("5", "login: test-homed-user")

     

       87
       87
       +
               machine.wait_until_tty_matches("5", "Password: ")

     

       88
       88
       +
               machine.send_chars("${password}\n")

     

       89
       89
       +
               machine.wait_until_tty_matches("5", "Password incorrect or not sufficient for authentication of user test-homed-user.")

     

       90
       90
       +
               machine.wait_until_tty_matches("5", "Sorry, try again: ")

     

       91
       91
       +
             machine.send_chars("${newPass}\n")

     

       92
       92
       +
             machine.send_chars("whoami > /tmp/4\n")

     

       93
       93
       +
             machine.wait_for_file("/tmp/4")

     

       94
       94
       +
             assert "test-homed-user" in machine.succeed("cat /tmp/4")

     

       95
       95
       +
       

     

       96
       96
       +
           with subtest("homed user should be in wheel according to NSS"):

     

       97
       97
       +
             machine.succeed("userdbctl group wheel -s io.systemd.NameServiceSwitch | grep test-homed-user")

     

       98
       98
       +
         '';

     

       99
       99
       +
       })

+1 -1

pkgs/os-specific/linux/systemd/default.nix

···

       81
       81
        
       , withDocumentation ? true

     

       82
       82
        
       , withEfi ? stdenv.hostPlatform.isEfi

     

       83
       83
        
       , withFido2 ? true

     

       84
       84
       -
       , withHomed ? false

     

       84
       84
       +
       , withHomed ? true

     

       85
       85
        
       , withHostnamed ? true

     

       86
       86
        
       , withHwdb ? true

     

       87
       87
        
       , withImportd ? !stdenv.hostPlatform.isMusl

pkgs/top-level/all-packages.nix

···

       25973
       25973
        
           withEfi = false;

     

       25974
       25974
        
           withFido2 = false;

     

       25975
       25975
        
           withHostnamed = false;

     

       25976
       25976
       +
           withHomed = false;

     

       25976
       25977
        
           withHwdb = false;

     

       25977
       25978
        
           withImportd = false;

     

       25978
       25979
        
           withLibBPF = false;