commit be5ad774bff3e8fe21010d606776672ae7b6ee55 · pyrox.dev/nixpkgs

+30
nixos/modules/security/pam.nix
···

       77
       77
        
               '';

     

       78
       78
        
             };

     

       79
       79
        
       

     

       80
       80
       +
             googleOsLoginAccountVerification = mkOption {

     

       81
       81
       +
               default = false;

     

       82
       82
       +
               type = types.bool;

     

       83
       83
       +
               description = ''

     

       84
       84
       +
                 If set, will use the Google OS Login PAM modules

     

       85
       85
       +
                 (<literal>pam_oslogin_login</literal>,

     

       86
       86
       +
                 <literal>pam_oslogin_admin</literal>) to verify possible OS Login

     

       87
       87
       +
                 users and set sudoers configuration accordingly.

     

       88
       88
       +
                 This only makes sense to enable for the <literal>sshd</literal> PAM

     

       89
       89
       +
                 service.

     

       90
       90
       +
               '';

     

       91
       91
       +
             };

     

       92
       92
       +
       

     

       93
       93
       +
             googleOsLoginAuthentication = mkOption {

     

       94
       94
       +
               default = false;

     

       95
       95
       +
               type = types.bool;

     

       96
       96
       +
               description = ''

     

       97
       97
       +
                 If set, will use the <literal>pam_oslogin_login</literal>'s user

     

       98
       98
       +
                 authentication methods to authenticate users using 2FA.

     

       99
       99
       +
                 This only makes sense to enable for the <literal>sshd</literal> PAM

     

       100
       100
       +
                 service.

     

       101
       101
       +
               '';

     

       102
       102
       +
             };

     

       103
       103
       +
       

     

       80
       104
        
             fprintAuth = mkOption {

     

       81
       105
        
               default = config.services.fprintd.enable;

     

       82
       106
        
               type = types.bool;

     
···

       278
       302
        
                     "account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so"}

     

       279
       303
        
                 ${optionalString config.krb5.enable

     

       280
       304
        
                     "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}

     

       305
       305
       +
                 ${optionalString cfg.googleOsLoginAccountVerification ''

     

       306
       306
       +
                   account [success=ok ignore=ignore default=die] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so

     

       307
       307
       +
                   account [success=ok default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so

     

       308
       308
       +
                 ''}

     

       281
       309
        
       

     

       282
       310
        
                 # Authentication management.

     

       311
       311
       +
                 ${optionalString cfg.googleOsLoginAuthentication

     

       312
       312
       +
                     "auth [success=done perm_denied=bad default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so"}

     

       283
       313
        
                 ${optionalString cfg.rootOK

     

       284
       314
        
                     "auth sufficient pam_rootok.so"}

     

       285
       315
        
                 ${optionalString cfg.requireWheel