pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #30686 from gnidorah/keyring

pam: add optional pam_gnome_keyring integration

Jörg Thalheim 310ad434 90576828

options
unified split
Changed files
+16 -1
nixos
modules
security
pam.nix
+16 -1
nixos/modules/security/pam.nix 
···

       
223

       
223

       
 

       
        '';


     

       
224

       
224

       
 

       
      };


     

       
225

       
225

       
 

       



     

       

       
226

       
+

       
      enableGnomeKeyring = mkOption {


     

       

       
227

       
+

       
        default = false;


     

       

       
228

       
+

       
        type = types.bool;


     

       

       
229

       
+

       
        description = ''


     

       

       
230

       
+

       
          If enabled, pam_gnome_keyring will attempt to automatically unlock the


     

       

       
231

       
+

       
          user's default Gnome keyring upon login. If the user login password does


     

       

       
232

       
+

       
          not match their keyring password, Gnome Keyring will prompt separately


     

       

       
233

       
+

       
          after login.


     

       

       
234

       
+

       
        '';


     

       

       
235

       
+

       
      };


     

       

       
236

       
+

       



     

       
226

       
237

       
 

       
      text = mkOption {


     

       
227

       
238

       
 

       
        type = types.nullOr types.lines;


     

       
228

       
239

       
 

       
        description = "Contents of the PAM service file.";


     
···

       
273

       
284

       
 

       
          # prompts the user for password so we run it once with 'required' at an


     

       
274

       
285

       
 

       
          # earlier point and it will run again with 'sufficient' further down.


     

       
275

       
286

       
 

       
          # We use try_first_pass the second time to avoid prompting password twice


     

       
276

       

       
-

       
          (optionalString (cfg.unixAuth && (config.security.pam.enableEcryptfs || cfg.pamMount || cfg.enableKwallet)) ''


     

       

       
287

       
+

       
          (optionalString (cfg.unixAuth && (config.security.pam.enableEcryptfs || cfg.pamMount || cfg.enableKwallet || cfg.enableGnomeKeyring)) ''


     

       
277

       
288

       
 

       
              auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth


     

       
278

       
289

       
 

       
              ${optionalString config.security.pam.enableEcryptfs


     

       
279

       
290

       
 

       
                "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}


     
···

       
282

       
293

       
 

       
              ${optionalString cfg.enableKwallet


     

       
283

       
294

       
 

       
                ("auth optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" +


     

       
284

       
295

       
 

       
                 " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")}


     

       

       
296

       
+

       
              ${optionalString cfg.enableGnomeKeyring


     

       

       
297

       
+

       
                ("auth optional ${pkgs.gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so")}


     

       
285

       
298

       
 

       
            '') + ''


     

       
286

       
299

       
 

       
          ${optionalString cfg.unixAuth


     

       
287

       
300

       
 

       
              "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"}


     
···

       
351

       
364

       
 

       
          ${optionalString (cfg.enableKwallet)


     

       
352

       
365

       
 

       
              ("session optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" +


     

       
353

       
366

       
 

       
               " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")}


     

       

       
367

       
+

       
          ${optionalString (cfg.enableGnomeKeyring)


     

       

       
368

       
+

       
              "session optional ${pkgs.gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start"}


     

       
354

       
369

       
 

       
          ${optionalString (config.virtualisation.lxc.lxcfs.enable)


     

       
355

       
370

       
 

       
               "session optional ${pkgs.lxcfs}/lib/security/pam_cgfs.so -c freezer,memory,name=systemd,unified,cpuset"}


     

       
356

       
371

       
 

       
        '');