pyrox.dev / nixpkgs
lol
fork atom

nixos/ecryptfs: init

Currently, ecryptfs support is coupled to `security.pam.enableEcryptfs`, but one
might want to use ecryptfs without enabling the PAM functionality. This commit
splits it out into a `boot.supportedFilesystems` switch.

edef ea35bc94 7867b508

options
unified split
Changed files
+19 -6
nixos
modules
module-list.nix
security
pam.nix
tasks
filesystems
ecryptfs.nix
+1
nixos/modules/module-list.nix 
···

       
696

       
 

       
  ./tasks/filesystems/bcachefs.nix


     

       
697

       
 

       
  ./tasks/filesystems/btrfs.nix


     

       
698

       
 

       
  ./tasks/filesystems/cifs.nix


     

       

       

       
     

       
699

       
 

       
  ./tasks/filesystems/exfat.nix


     

       
700

       
 

       
  ./tasks/filesystems/ext.nix


     

       
701

       
 

       
  ./tasks/filesystems/f2fs.nix


     
···

       
696

       
 

       
  ./tasks/filesystems/bcachefs.nix


     

       
697

       
 

       
  ./tasks/filesystems/btrfs.nix


     

       
698

       
 

       
  ./tasks/filesystems/cifs.nix


     

       
699

       
+

       
  ./tasks/filesystems/ecryptfs.nix


     

       
700

       
 

       
  ./tasks/filesystems/exfat.nix


     

       
701

       
 

       
  ./tasks/filesystems/ext.nix


     

       
702

       
 

       
  ./tasks/filesystems/f2fs.nix
+4 -6
nixos/modules/security/pam.nix 
···

       
486

       
 

       
      ++ optionals config.krb5.enable [pam_krb5 pam_ccreds]


     

       
487

       
 

       
      ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]


     

       
488

       
 

       
      ++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ]


     

       
489

       
-

       
      ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]


     

       
490

       
-

       
      ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];


     

       

       

       
     

       
491

       
 

       



     

       
492

       
 

       
    security.wrappers = {


     

       
493

       
 

       
      unix_chkpwd = {


     
···

       
495

       
 

       
        owner = "root";


     

       
496

       
 

       
        setuid = true;


     

       
497

       
 

       
      };


     

       
498

       
-

       
    } // (if config.security.pam.enableEcryptfs then {


     

       
499

       
-

       
      "mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";


     

       
500

       
-

       
       "umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";


     

       
501

       
-

       
    } else {});


     

       
502

       
 

       



     

       
503

       
 

       
    environment.etc =


     

       
504

       
 

       
      mapAttrsToList (n: v: makePAMService v) config.security.pam.services;


     
···

       
486

       
 

       
      ++ optionals config.krb5.enable [pam_krb5 pam_ccreds]


     

       
487

       
 

       
      ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]


     

       
488

       
 

       
      ++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ]


     

       
489

       
+

       
      ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ];


     

       
490

       
+

       



     

       
491

       
+

       
    boot.supportedFilesystems = optionals config.security.pam.enableEcryptfs [ "ecryptfs" ];


     

       
492

       
 

       



     

       
493

       
 

       
    security.wrappers = {


     

       
494

       
 

       
      unix_chkpwd = {


     
···

       
496

       
 

       
        owner = "root";


     

       
497

       
 

       
        setuid = true;


     

       
498

       
 

       
      };


     

       
499

       
+

       
    };


     

       

       

       
     

       

       

       
     

       

       

       
     

       
500

       
 

       



     

       
501

       
 

       
    environment.etc =


     

       
502

       
 

       
      mapAttrsToList (n: v: makePAMService v) config.security.pam.services;
+14
nixos/modules/tasks/filesystems/ecryptfs.nix 
···

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     
···

       
1

       
+

       
{ config, lib, pkgs, ... }:


     

       
2

       
+

       
# TODO: make ecryptfs work in initramfs?


     

       
3

       
+

       



     

       
4

       
+

       
with lib;


     

       
5

       
+

       



     

       
6

       
+

       
{


     

       
7

       
+

       
  config = mkIf (any (fs: fs == "ecryptfs") config.boot.supportedFilesystems) {


     

       
8

       
+

       
    system.fsPackages = [ pkgs.ecryptfs ];


     

       
9

       
+

       
    security.wrappers = {


     

       
10

       
+

       
      "mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";


     

       
11

       
+

       
      "umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";


     

       
12

       
+

       
    };


     

       
13

       
+

       
  };


     

       
14

       
+

       
}