nixpkgs/nixos/modules/security/pam_mount.nix

{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.security.pam.mount;

  anyPamMount = any (attrByPath ["pamMount"] false) (attrValues config.security.pam.services);
in

{
  options = {

    security.pam.mount = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Enable PAM mount system to mount fileystems on user login.
        '';
      };

      extraVolumes = mkOption {
        type = types.listOf types.str;
        default = [];
        description = ''
          List of volume definitions for pam_mount.
          For more information, visit <link
          xlink:href="http://pam-mount.sourceforge.net/pam_mount.conf.5.html" />.
        '';
      };
    };

  };

  config = mkIf (cfg.enable || anyPamMount) {

    environment.systemPackages = [ pkgs.pam_mount ];
    environment.etc."security/pam_mount.conf.xml" = {
      source =
        let
          extraUserVolumes = filterAttrs (n: u: u.cryptHomeLuks != null || u.pamMount != {}) config.users.users;
          mkAttr = k: v: ''${k}="${v}"'';
          userVolumeEntry = user: let
            attrs = {
              user = user.name;
              path = user.cryptHomeLuks;
              mountpoint = user.home;
            } // user.pamMount;
          in
            "<volume ${concatStringsSep " " (mapAttrsToList mkAttr attrs)} />\n";
        in
         pkgs.writeText "pam_mount.conf.xml" ''
          <?xml version="1.0" encoding="utf-8" ?>
          <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
          <!-- auto generated from Nixos: modules/config/users-groups.nix -->
          <pam_mount>
          <debug enable="0" />

          <!-- if activated, requires ofl from hxtools to be present -->
          <logout wait="0" hup="no" term="no" kill="no" />
          <!-- set PATH variable for pam_mount module -->
          <path>${pkgs.utillinux}/bin</path>
          <!-- create mount point if not present -->
          <mkmountpoint enable="1" remove="true" />

          <!-- specify the binaries to be called -->
          <cryptmount>${pkgs.pam_mount}/bin/mount.crypt %(VOLUME) %(MNTPT)</cryptmount>
          <cryptumount>${pkgs.pam_mount}/bin/umount.crypt %(MNTPT)</cryptumount>
          <pmvarrun>${pkgs.pam_mount}/bin/pmvarrun -u %(USER) -o %(OPERATION)</pmvarrun>

          ${concatStrings (map userVolumeEntry (attrValues extraUserVolumes))}
          ${concatStringsSep "\n" cfg.extraVolumes}
          </pam_mount>
          '';
    };

  };
}
pam_mount module: integrate pam_mount into PAM of NixOS 2015-07-02 16:46:56 +02:00			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`let`
			`cfg = config.security.pam.mount;`

			`anyPamMount = any (attrByPath ["pamMount"] false) (attrValues config.security.pam.services);`
			`in`

			`{`
			`options = {`

			`security.pam.mount = {`
			`enable = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = ''`
			`Enable PAM mount system to mount fileystems on user login.`
			`'';`
			`};`

			`extraVolumes = mkOption {`
			`type = types.listOf types.str;`
			`default = [];`
			`description = ''`
			`List of volume definitions for pam_mount.`
			`For more information, visit <link`
			`xlink:href="http://pam-mount.sourceforge.net/pam_mount.conf.5.html" />.`
			`'';`
			`};`
			`};`

			`};`

			`config = mkIf (cfg.enable \|\| anyPamMount) {`

			`environment.systemPackages = [ pkgs.pam_mount ];`
treewide: use attrs instead of list for types.loaOf options 2019-09-14 19:51:29 +02:00			`environment.etc."security/pam_mount.conf.xml" = {`
pam_mount module: integrate pam_mount into PAM of NixOS 2015-07-02 16:46:56 +02:00			`source =`
			`let`
nixos/pam_mount: add pamMount attribute to users This attribute is a generalized version of cryptHomeLuks for creating an entry in /etc/security/pam_mount.conf.xml. It lets the configuration control all the attributes of the <volume> entry, instead of just the path. The default path remains the value of cryptHomeLuks, for compatibility. 2020-10-14 17:29:30 -07:00			`extraUserVolumes = filterAttrs (n: u: u.cryptHomeLuks != null \|\| u.pamMount != {}) config.users.users;`
			`mkAttr = k: v: ''${k}="${v}"'';`
			`userVolumeEntry = user: let`
			`attrs = {`
			`user = user.name;`
			`path = user.cryptHomeLuks;`
			`mountpoint = user.home;`
			`} // user.pamMount;`
			`in`
			`"<volume ${concatStringsSep " " (mapAttrsToList mkAttr attrs)} />\n";`
pam_mount module: integrate pam_mount into PAM of NixOS 2015-07-02 16:46:56 +02:00			`in`
			`pkgs.writeText "pam_mount.conf.xml" ''`
			`<?xml version="1.0" encoding="utf-8" ?>`
			`<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">`
			`<!-- auto generated from Nixos: modules/config/users-groups.nix -->`
			`<pam_mount>`
			`<debug enable="0" />`

			`<!-- if activated, requires ofl from hxtools to be present -->`
			`<logout wait="0" hup="no" term="no" kill="no" />`
			`<!-- set PATH variable for pam_mount module -->`
			`<path>${pkgs.utillinux}/bin</path>`
			`<!-- create mount point if not present -->`
			`<mkmountpoint enable="1" remove="true" />`

			`<!-- specify the binaries to be called -->`
			`<cryptmount>${pkgs.pam_mount}/bin/mount.crypt %(VOLUME) %(MNTPT)</cryptmount>`
			`<cryptumount>${pkgs.pam_mount}/bin/umount.crypt %(MNTPT)</cryptumount>`
			`<pmvarrun>${pkgs.pam_mount}/bin/pmvarrun -u %(USER) -o %(OPERATION)</pmvarrun>`
pam_mount: change order of lines in pam_mount.conf Change order of pam_mount.conf.xml so that users can override the preset configs. My use case is to mount a gocryptfs (a fuse program) volume. I can not do that in current order. Because even if I change the `<fusermount>` and `<fuserumount>` by add below to extraVolumes ``` <fusemount>${pkgs.fuse}/bin/mount.fuse %(VOLUME) %(MNTPT) "%(before=\"-o \" OPTIONS)"</fusemount> <fuseumount>${pkgs.fuse}/bin/fusermount -u %(MNTPT)</fuseumount> ``` mount.fuse still does not work because it can not find `fusermount`. pam_mount will told stat /bin/fusermount failed. Fine, I can add a `<path>` section to extraVolumes ``` <path>${pkgs.fuse}/bin:${pkgs.coreutils}/bin:${pkgs.utillinux}/bin</path> ``` but then the `<path>` section is overridden by the hardcoded `<path>${pkgs.utillinux}/bin</path>` below. So it still does not work. 2019-11-03 12:43:01 +08:00
			`${concatStrings (map userVolumeEntry (attrValues extraUserVolumes))}`
			`${concatStringsSep "\n" cfg.extraVolumes}`
pam_mount module: integrate pam_mount into PAM of NixOS 2015-07-02 16:46:56 +02:00			`</pam_mount>`
			`'';`
treewide: use attrs instead of list for types.loaOf options 2019-09-14 19:51:29 +02:00			`};`
pam_mount module: integrate pam_mount into PAM of NixOS 2015-07-02 16:46:56 +02:00
			`};`
			`}`