public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Make the generation of /etc/pam.d more declarative. There now is an

Browse Source 
option security.pam.services containing the list of PAM services.
  For instance, the SLiM module simply declares:

    security.pam.services = [ { name = "slim"; localLogin = true; } ];

svn path=/nixos/trunk/; revision=16729
This commit is contained in:
Eelco Dolstra 2009-08-16 14:49:14 +00:00
parent 88c505c9e0
commit 39bffdb34c
26 changed files with 477 additions and 571 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
modules/security/pam.d/chsh
View File

@ -1,5 +0,0 @@
auth sufficient pam_rootok.so
auth required pam_permit.so
account required pam_permit.so
password required pam_permit.so
session required pam_permit.so

13
modules/security/pam.d/common
View File

@ -1,13 +0,0 @@
@isLDAPEnabled@ auth sufficient @pam_ldap@/lib/security/pam_ldap.so
auth sufficient @pam_unix2@/lib/security/pam_unix2.so
auth required pam_deny.so
@isLDAPEnabled@ account optional @pam_ldap@/lib/security/pam_ldap.so
account required @pam_unix2@/lib/security/pam_unix2.so
@isLDAPEnabled@ password sufficient @pam_ldap@/lib/security/pam_ldap.so
password requisite @pam_unix2@/lib/security/pam_unix2.so nullok
@syncSambaPasswords@
@isLDAPEnabled@ session optional @pam_ldap@/lib/security/pam_ldap.so
session required @pam_unix2@/lib/security/pam_unix2.so

1
modules/security/pam.d/common-console
View File

@ -1 +0,0 @@
session optional @pam_console@/lib/security/pam_console.so debug handlersfile=@pamConsoleHandlers@

4
modules/security/pam.d/cups
View File

@ -1,4 +0,0 @@
auth include common
account include common
password include common
session include common

4
modules/security/pam.d/ejabberd
View File

@ -1,4 +0,0 @@
auth include common
account include common
password include common
session include common

4
modules/security/pam.d/ftp
View File

@ -1,4 +0,0 @@
auth include common
account include common
password include common
session include common

5
modules/security/pam.d/kde
View File

@ -1,5 +0,0 @@
auth include common
account include common
password include common
session include common
session include common-console

5
modules/security/pam.d/login
View File

@ -1,5 +0,0 @@
auth include common
account include common
password include common
session include common
session include common-console

4
modules/security/pam.d/lshd
View File

@ -1,4 +0,0 @@
auth include common
account include common
password include common
session include common

8
modules/security/pam.d/other
View File

@ -1,8 +0,0 @@
auth required pam_warn.so
auth required pam_deny.so
account required pam_warn.so
account required pam_deny.so
password required pam_warn.so
password required pam_deny.so
session required pam_warn.so
session required pam_deny.so

4
modules/security/pam.d/passwd
View File

@ -1,4 +0,0 @@
auth include common
account include common
password include common
session include common

4
modules/security/pam.d/samba
View File

@ -1,4 +0,0 @@
auth include common
account include common
password include common
session include common

6
modules/security/pam.d/shadow
View File

@ -1,6 +0,0 @@
# Used by groupadd etc.
auth sufficient pam_rootok.so
auth required pam_permit.so
account required pam_permit.so
password required pam_permit.so
session required pam_deny.so

4
modules/security/pam.d/sshd
View File

@ -1,4 +0,0 @@
auth include common
account include common
password include common
session include common

6
modules/security/pam.d/su
View File

@ -1,6 +0,0 @@
auth sufficient pam_rootok.so
auth include common
account include common
password include common
session include common
session optional pam_xauth.so xauthpath=@xauth@/bin/xauth systemuser=99

5
modules/security/pam.d/useradd
View File

@ -1,5 +0,0 @@
auth sufficient pam_rootok.so
auth required pam_permit.so
account required pam_permit.so
password required pam_permit.so
session required pam_permit.so

4
modules/security/pam.d/xlock
View File

@ -1,4 +0,0 @@
auth include common
account include common
password include common
session include common

153
modules/security/pam.nix
View File

@ -3,8 +3,12 @@
{config, pkgs, ...}: {config, pkgs, ...}:
with pkgs.lib;
let let
inherit (pkgs) pam_unix2 pam_console pam_ldap;
# !!! ugh, these files shouldn't be created here. # !!! ugh, these files shouldn't be created here.
pamConsoleHandlers = pkgs.writeText "console.handlers" '' pamConsoleHandlers = pkgs.writeText "console.handlers" ''
console consoledevs /dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9] console consoledevs /dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
@ -14,45 +18,122 @@ let
pamConsolePerms = ./console.perms; pamConsolePerms = ./console.perms;
generatePAMConfig = program: makePAMService =
let isLDAPEnabled = config.users.ldap.enable; in { name
{ source = pkgs.substituteAll { , # If set, root doesn't need to authenticate (e.g. for the "chsh"
src = ./pam.d + ("/" + program); # service).
inherit (pkgs) pam_unix2 pam_console; rootOK ? false
pam_ldap = , # If set, this is a local login (e.g. virtual console or X), so
if isLDAPEnabled # the user gets ownership of audio devices etc.
then pkgs.pam_ldap localLogin ? false
else "/no-such-path"; , # Whether to forward XAuth keys between users. Mostly useful
inherit (pkgs.xorg) xauth; # for "su".
inherit pamConsoleHandlers; forwardXAuth ? false
isLDAPEnabled = if isLDAPEnabled then "" else "#"; }:
syncSambaPasswords = if config.services.samba.syncPasswordsByPam
then "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass" { source = pkgs.writeText "${name}.pam"
else "# change samba configuration options to make passwd sync the samba auth database as well here.."; # !!! TODO: move the LDAP stuff to the LDAP module, and the
}; # Samba stuff to the Samba module. This requires that the PAM
target = "pam.d/" + program; # module provides the right hooks.
''
# Account management.
${optionalString config.users.ldap.enable
"account optional ${pam_ldap}/lib/security/pam_ldap.so"}
account required ${pam_unix2}/lib/security/pam_unix2.so
# Authentication management.
${optionalString rootOK
"auth sufficient pam_rootok.so"}
${optionalString config.users.ldap.enable
"auth sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
auth sufficient ${pam_unix2}/lib/security/pam_unix2.so
auth required pam_deny.so
# Password management.
${optionalString config.users.ldap.enable
"password sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
password requisite ${pam_unix2}/lib/security/pam_unix2.so nullok
${optionalString config.services.samba.syncPasswordsByPam
"password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"}
# Session management.
${optionalString config.users.ldap.enable
"session optional ${pam_ldap}/lib/security/pam_ldap.so"}
session required ${pam_unix2}/lib/security/pam_unix2.so
${optionalString localLogin
"session optional ${pam_console}/lib/security/pam_console.so debug handlersfile=${pamConsoleHandlers}"}
${optionalString forwardXAuth
"session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
'';
target = "pam.d/${name}";
}; };
in in
{ {
environment.etc = map generatePAMConfig
[ "login" ###### interface
"su"
"other" options = {
"passwd"
"shadow" security.pam.services = mkOption {
"sshd" default = [];
"lshd" example = [ { name = "chsh"; rootOK = true; } ];
"useradd" description =
"chsh" ''
"xlock" This option defines the PAM services. A service typically
"samba" corresponds to a program that uses PAM,
"cups" e.g. <command>login</command> or <command>passwd</command>.
"ftp" Each element of this list is an attribute set describing a
"ejabberd" service. The attribute <varname>name</varname> specifies
"kde" the name of the service. The attribute
"common" <varname>rootOK</varname> specifies whether the root user is
"common-console" # shared stuff for interactive local sessions allowed to use this service without authentication. The
]; attribute <varname>localLogin</varname> specifies whether
this is a local login service (e.g. <command>xdm</command>),
which implies that the user gets ownership of devices such
as audio and CD-ROM drives. The
attribute <varname>forwardXAuth</varname> specifies whether
X authentication keys should be passed from the calling user
to the target user (e.g. for <command>su</command>).
'';
};
};
###### implementation
config = {
environment.systemPackages =
# Include the PAM modules in the system path mostly for the manpages.
[ pkgs.pam pam_unix2 ]
++ optional config.users.ldap.enable pam_ldap;
environment.etc = map makePAMService config.security.pam.services;
security.pam.services =
# Most of these should be moved to specific modules.
[ { name = "cups"; }
{ name = "ejabberd"; }
{ name = "ftp"; }
{ name = "lshd"; }
{ name = "passwd"; }
{ name = "samba"; }
{ name = "sshd"; }
{ name = "xlock"; }
{ name = "chsh"; rootOK = true; }
{ name = "su"; rootOK = true; forwardXAuth = true; }
# Note: useradd, groupadd etc. aren't setuid root, so it
# doesn't really matter what the PAM config says as long as it
# lets root in.
{ name = "useradd"; rootOK = true; }
# Used by groupadd etc.
{ name = "shadow"; rootOK = true; }
{ name = "login"; localLogin = true; }
];
};
} }

107
modules/security/sudo.nix
View File

@ -1,79 +1,65 @@
{pkgs, config, ...}: {pkgs, config, ...}:
###### interface with pkgs.lib;
let let
inherit (pkgs.lib) mkOption;
cfg = config.security.sudo;
inherit (pkgs) sudo;
in
{
###### interface
options = { options = {
security = {
sudo = {
enable = mkOption { security.sudo.enable = mkOption {
default = true; default = true;
description = " description =
Whether to enable the <command>sudo</command> command, which ''
allows non-root users to execute commands as root. Whether to enable the <command>sudo</command> command, which
"; allows non-root users to execute commands as root.
}; '';
};
configFile = mkOption { security.sudo.configFile = mkOption {
default = " # Note: if syntax errors are detected in this file, the NixOS
# WARNING: do not edit this file directly or with \"visudo\". Instead, # configuration will fail to build.
# edit the source file in /etc/nixos/nixos/etc/sudoers. default =
''
# WARNING: do not edit this file directly or with "visudo". Instead,
# edit the source file in /etc/nixos/nixos/etc/sudoers.
# \"root\" is allowed to do anything. # "root" is allowed to do anything.
root ALL=(ALL) SETENV: ALL root ALL=(ALL) SETENV: ALL
# Users in the \"wheel\" group can do anything. # Users in the "wheel" group can do anything.
%wheel ALL=(ALL) SETENV: ALL %wheel ALL=(ALL) SETENV: ALL
"; '';
description = " description =
This string contains the contents of the ''
<filename>sudoers</filename> file. This string contains the contents of the
"; <filename>sudoers</filename> file.
# If syntax errors are detected in this file, the NixOS '';
# configuration will fail to build.
};
};
}; };
}; };
in
###### implementation
let
cfg = config.security.sudo;
inherit (pkgs.lib) mkIf;
inherit (pkgs) sudo;
in
mkIf cfg.enable { ###### implementation
require = [
options
# config.environment.etc config = mkIf cfg.enable {
# ../etc/default.nix
# ? # config.environment.extraPackages security.extraSetuidPrograms = [ "sudo" ];
# ? # config.security.extraSetuidPrograms
];
security = { environment.systemPackages = [ sudo ];
extraSetuidPrograms = [
"sudo"
];
};
environment = { security.pam.services = [ { name = "sudo"; } ];
extraPackages = [ sudo ];
etc = [ environment.etc = singleton
{ { source = pkgs.runCommand "sudoers"
source = ./sudo.pam;
target = "pam.d/sudo";
}
{
source = pkgs.runCommand "sudoers"
{ src = pkgs.writeText "sudoers-in" cfg.configFile; } { src = pkgs.writeText "sudoers-in" cfg.configFile; }
# Make sure that the sudoers file is syntactically valid. # Make sure that the sudoers file is syntactically valid.
# (currently disabled - NIXOS-66) # (currently disabled - NIXOS-66)
@ -81,7 +67,8 @@ mkIf cfg.enable {
"cp $src $out"; "cp $src $out";
target = "sudoers"; target = "sudoers";
mode = "0440"; mode = "0440";
} };
];
}; };
} }

4
modules/security/sudo.pam
View File

@ -1,4 +0,0 @@
auth include common
account include common
password include common
session include common

224
modules/services/mail/dovecot.nix
View File

@ -1,44 +1,6 @@
{pkgs, config, ...}: {pkgs, config, ...}:
###### interface with pkgs.lib;
let
inherit (pkgs.lib) mkOption mkIf;
options = {
services = {
dovecot = {
enable = mkOption {
default = false;
description = "Whether to enable dovecot POP3/IMAP server.";
};
user = mkOption {
default = "dovecot";
description = "dovecot user name";
};
group = mkOption {
default = "dovecot";
description = "dovecot group name";
};
sslServerCert = mkOption {
default = "";
description = "Server certificate";
};
sslCACert = mkOption {
default = "";
description = "CA certificate used by server certificate";
};
sslServerKey = mkOption {
default = "";
description = "Server key";
};
};
};
};
in
###### implementation
let let
startingDependency = if config.services.gw6c.enable then "gw6c" else "network-interfaces"; startingDependency = if config.services.gw6c.enable then "gw6c" else "network-interfaces";
@ -46,99 +8,129 @@ let
cfg = config.services.dovecot; cfg = config.services.dovecot;
dovecotConf = dovecotConf =
'' ''
base_dir = /var/run/dovecot/ base_dir = /var/run/dovecot/
protocols = imap imaps pop3 pop3s protocols = imap imaps pop3 pop3s
'' ''
+ (if cfg.sslServerCert!="" then + (if cfg.sslServerCert!="" then
'' ''
ssl_cert_file = ${cfg.sslServerCert} ssl_cert_file = ${cfg.sslServerCert}
ssl_key_file = ${cfg.sslServerKey} ssl_key_file = ${cfg.sslServerKey}
ssl_ca_file = ${cfg.sslCACert} ssl_ca_file = ${cfg.sslCACert}
'' else '' '' else ''
ssl_disable = yes ssl_disable = yes
disable_plaintext_auth = no disable_plaintext_auth = no
'') '')
+ ''
login_user = ${cfg.user}
login_chroot = no
+ '' mail_location = maildir:/var/spool/mail/%u
login_user = ${cfg.user}
login_chroot = no
mail_location = maildir:/var/spool/mail/%u maildir_copy_with_hardlinks = yes
maildir_copy_with_hardlinks = yes auth default {
mechanisms = plain login
auth default { userdb passwd {
mechanisms = plain login }
userdb passwd { passdb pam {
}
user = root
} }
passdb pam { auth_debug = yes
} auth_verbose = yes
user = root
}
auth_debug = yes
auth_verbose = yes
pop3_uidl_format = %08Xv%08Xu pop3_uidl_format = %08Xv%08Xu
log_path = /var/log/dovecot.log
'';
log_path = /var/log/dovecot.log
''
;
confFile = pkgs.writeText "dovecot.conf" dovecotConf; confFile = pkgs.writeText "dovecot.conf" dovecotConf;
pamdFile = pkgs.writeText "dovecot.pam" ''
auth include common
account include common
'';
in in
mkIf config.services.dovecot.enable { {
require = [ ###### interface
options
]; options = {
services.dovecot = {
enable = mkOption {
default = false;
description = "Whether to enable the Dovecot POP3/IMAP server.";
};
user = mkOption {
default = "dovecot";
description = "Dovecot user name.";
};
group = mkOption {
default = "dovecot";
description = "Dovecot group name.";
};
sslServerCert = mkOption {
default = "";
description = "Server certificate";
};
sslCACert = mkOption {
default = "";
description = "CA certificate used by the server certificate.";
};
sslServerKey = mkOption {
default = "";
description = "Server key.";
};
};
environment = {
etc = [{
source = pamdFile;
target = "pam.d/dovecot";
}];
}; };
users = {
extraUsers = [{ ###### implementation
name = cfg.user;
uid = config.ids.uids.dovecot; config = mkIf config.services.dovecot.enable {
description = "Dovecot user";
group = cfg.group; security.pam.services = [ { name = "dovecot"; } ];
}];
extraGroups = [{ users.extraUsers = singleton
name = cfg.group; { name = cfg.user;
gid = config.ids.gids.dovecot; uid = config.ids.uids.dovecot;
}]; description = "Dovecot user";
group = cfg.group;
};
users.extraGroups = singleton
{ name = cfg.group;
gid = config.ids.gids.dovecot;
};
services.extraJobs = singleton
{ name = "dovecot";
job =
''
description "Dovecot IMAP/POP3 server"
start on ${startingDependency}/started
stop on never
start script
${pkgs.coreutils}/bin/mkdir -p /var/run/dovecot /var/run/dovecot/login
${pkgs.coreutils}/bin/chown -R ${cfg.user}.${cfg.group} /var/run/dovecot
end script
respawn ${pkgs.dovecot}/sbin/dovecot -F -c ${confFile}
'';
};
}; };
services = {
extraJobs = [{
name = "dovecot";
job = ''
description "Dovecot IMAP/POP3 server"
start on ${startingDependency}/started
stop on never
start script
${pkgs.coreutils}/bin/mkdir -p /var/run/dovecot /var/run/dovecot/login
${pkgs.coreutils}/bin/chown -R ${cfg.user}.${cfg.group} /var/run/dovecot
end script
respawn ${pkgs.dovecot}/sbin/dovecot -F -c ${confFile}
'';
}];
};
} }

204
modules/services/scheduling/atd.nix
View File

@ -1,140 +1,116 @@
{pkgs, config, ...}: {pkgs, config, ...}:
###### interface with pkgs.lib;
let let
inherit (pkgs.lib) mkOption;
options = {
services = {
atd = {
enable = mkOption {
default = true;
description = ''
Whether to enable the `at' daemon, a command scheduler.
'';
};
allowEveryone = mkOption {
default = false;
description = ''
Whether to make /var/spool/at{jobs,spool} writeable
by everyone (and sticky). This is normally not needed since
the `at' commands are setuid/setgid `atd'.
'';
};
};
};
};
in
###### implementation
let
cfg = config.services.atd; cfg = config.services.atd;
inherit (pkgs.lib) mkIf;
inherit (pkgs) at; inherit (pkgs) at;
user = { job =
name = "atd"; ''
uid = config.ids.uids.atd; description "at daemon (atd)"
description = "atd user";
home = "/var/empty";
};
group = { start on startup
name = "atd"; stop on shutdown
gid = config.ids.gids.atd;
};
job = '' start script
description "at daemon (atd)" # Snippets taken and adapted from the original `install' rule of
# the makefile.
start on startup # We assume these values are those actually used in Nixpkgs for
stop on shutdown # `at'.
spooldir=/var/spool/atspool
jobdir=/var/spool/atjobs
etcdir=/etc/at
start script for dir in "$spooldir" "$jobdir" "$etcdir"
# Snippets taken and adapted from the original `install' rule of do
# the makefile. if [ ! -d "$dir" ]
then
mkdir -p "$dir" && chown atd:atd "$dir"
fi
done
chmod 1770 "$spooldir" "$jobdir"
${if cfg.allowEveryone then ''chmod a+rwxt "$spooldir" "$jobdir" '' else ""}
if [ ! -f "$etcdir"/at.deny ]
then
touch "$etcdir"/at.deny && \
chown root:atd "$etcdir"/at.deny && \
chmod 640 "$etcdir"/at.deny
fi
if [ ! -f "$jobdir"/.SEQ ]
then
touch "$jobdir"/.SEQ && \
chown atd:atd "$jobdir"/.SEQ && \
chmod 600 "$jobdir"/.SEQ
fi
end script
# We assume these values are those actually used in Nixpkgs for respawn ${at}/sbin/atd
# `at'. '';
spooldir=/var/spool/atspool
jobdir=/var/spool/atjobs
etcdir=/etc/at
for dir in "$spooldir" "$jobdir" "$etcdir"
do
if [ ! -d "$dir" ]
then
mkdir -p "$dir" && chown atd:atd "$dir"
fi
done
chmod 1770 "$spooldir" "$jobdir"
${if cfg.allowEveryone then ''chmod a+rwxt "$spooldir" "$jobdir" '' else ""}
if [ ! -f "$etcdir"/at.deny ]
then
touch "$etcdir"/at.deny && \
chown root:atd "$etcdir"/at.deny && \
chmod 640 "$etcdir"/at.deny
fi
if [ ! -f "$jobdir"/.SEQ ]
then
touch "$jobdir"/.SEQ && \
chown atd:atd "$jobdir"/.SEQ && \
chmod 600 "$jobdir"/.SEQ
fi
end script
respawn ${at}/sbin/atd
'';
in in
mkIf cfg.enable { {
require = [
options
# config.services.extraJobs ###### interface
#../upstart-jobs/default.nix
# config.environment.etc options = {
#../etc/default.nix
# users.* services.atd.enable = mkOption {
#../system/users-groups.nix default = true;
description = ''
Whether to enable the `at' daemon, a command scheduler.
'';
};
# ? # config.environment.extraPackages services.atd.allowEveryone = mkOption {
# ? # config.security.extraSetuidPrograms default = false;
]; description = ''
Whether to make /var/spool/at{jobs,spool} writeable
by everyone (and sticky). This is normally not needed since
the `at' commands are setuid/setgid `atd'.
'';
};
security = {
setuidOwners = map (program: {
inherit program;
owner = "atd";
group = "atd";
setuid = true;
setgid = true;
}) [ "at" "atq" "atrm" ];
}; };
environment = {
extraPackages = [ at ];
etc = [{ ###### implementation
source = ./atd.pam;
target = "pam.d/atd"; config = mkIf cfg.enable {
}];
security.setuidOwners = map (program: {
inherit program;
owner = "atd";
group = "atd";
setuid = true;
setgid = true;
}) [ "at" "atq" "atrm" ];
environment.systemPackages = [ at ];
security.pam.services = [ { name = "atd"; } ];
users.extraUsers = singleton
{ name = "atd";
uid = config.ids.uids.atd;
description = "atd user";
home = "/var/empty";
};
users.extraGroups = singleton
{ name = "atd";
gid = config.ids.gids.atd;
};
services.extraJobs = singleton # !!! convert to job
{ name = "atd";
inherit job;
};
}; };
users = {
extraUsers = [user];
extraGroups = [group];
};
services = {
extraJobs = [{
name = "atd";
inherit job;
}];
};
} }

4
modules/services/scheduling/atd.pam
View File

@ -1,4 +0,0 @@
auth include common
account include common
password include common
session include common

68
modules/services/x11/xserver/display-managers/kdm.nix
View File

@ -1,35 +1,15 @@
{pkgs, config, ...}: {pkgs, config, ...}:
###### interface with pkgs.lib;
let let
inherit (pkgs.lib) mkOption;
options = { dmcfg = config.services.xserver.displayManager;
services.xserver.displayManager.kdm = {
enable = mkOption {
default = false;
description = "
Whether to enable the KDE display manager.
";
};
};
};
in
###### implementation
let
xcfg = config.services.xserver;
dmcfg = xcfg.displayManager;
cfg = dmcfg.kdm; cfg = dmcfg.kdm;
inherit (pkgs.lib) mkIf;
inherit (pkgs) stdenv;
inherit (pkgs.kde42) kdebase_workspace; inherit (pkgs.kde42) kdebase_workspace;
kdmrc = stdenv.mkDerivation { kdmrc = pkgs.stdenv.mkDerivation {
name = "kdmrc"; name = "kdmrc";
# -e "s|Session=${kdebase_workspace}/share/config/kdm/Xsession|Session=${dmcfg.session.script}|" \ # -e "s|Session=${kdebase_workspace}/share/config/kdm/Xsession|Session=${dmcfg.session.script}|" \
buildCommand = '' buildCommand = ''
@ -50,20 +30,36 @@ let
in in
mkIf cfg.enable { {
require = [
options
];
services = { ###### interface
xserver = {
displayManager = { options = {
job = {
beforeScript = ""; services.xserver.displayManager.kdm = {
env = ""; enable = mkOption {
execCmd = "${kdebase_workspace}/bin/kdm -config ${kdmrc}/kdmrc"; default = false;
}; description = ''
Whether to enable the KDE display manager.
'';
}; };
}; };
}; };
###### implementation
config = mkIf cfg.enable {
services.xserver.displayManager.job =
{ beforeScript = "";
env = "";
execCmd = "${kdebase_workspace}/bin/kdm -config ${kdmrc}/kdmrc";
};
security.pam.services = [ { name = "slim"; localLogin = true; } ];
};
} }

185
modules/services/x11/xserver/display-managers/slim.nix
View File

@ -1,94 +1,24 @@
{pkgs, config, ...}: {pkgs, config, ...}:
###### interface with pkgs.lib;
let let
inherit (pkgs.lib) mkOption;
slimOptions = { dmcfg = config.services.xserver.displayManager;
theme = mkOption {
default = null;
example = pkgs.fetchurl {
url = http://download.berlios.de/slim/slim-wave.tar.gz;
sha256 = "0ndr419i5myzcylvxb89m9grl2xyq6fbnyc3lkd711mzlmnnfxdy";
};
description = "
The theme for the SLiM login manager. If not specified, SLiM's
default theme is used. See <link
xlink:href='http://slim.berlios.de/themes01.php'/> for a
collection of themes.
";
};
defaultUser = mkOption {
default = "";
example = "login";
description = "
The default user to load. If you put a username here you
get it automatically loaded into the username field, and
the focus is placed on the password.
";
};
hideCursor = mkOption {
default = false;
example = true;
description = "
Hide the mouse cursor on the login screen.
";
};
};
options = { services = { xserver = { displayManager = {
slim = slimOptions // {
enable = mkOption {
default = true;
description = "
Whether to enable slim as the display manager.
";
};
};
}; /* displayManager */ }; /* xserver */ }; /* services */ };
copyOldOptions = { services = { xserver = {
# Declare old options.
slim = slimOptions;
# Copy the old options into the new options.
displayManager = {
slim = config.services.xserver.slim;
};
}; /* xserver */ }; /* services */ };
in
###### implementation
let
xcfg = config.services.xserver;
dmcfg = xcfg.displayManager;
cfg = dmcfg.slim; cfg = dmcfg.slim;
inherit (pkgs.lib) mkIf; slimConfig = pkgs.writeText "slim.cfg"
''
slimConfig = pkgs.writeText "slim.cfg" '' xauth_path ${dmcfg.xauthBin}
xauth_path ${dmcfg.xauthBin} default_xserver ${dmcfg.xserverBin}
default_xserver ${dmcfg.xserverBin} xserver_arguments ${dmcfg.xserverArgs}
xserver_arguments ${dmcfg.xserverArgs} sessions ${pkgs.lib.concatStringsSep "," dmcfg.session.names}
sessions ${pkgs.lib.concatStringsSep "," dmcfg.session.names} login_cmd exec ${pkgs.stdenv.bash}/bin/sh ${dmcfg.session.script} "%session"
login_cmd exec ${pkgs.stdenv.bash}/bin/sh ${dmcfg.session.script} "%session" halt_cmd ${pkgs.upstart}/sbin/shutdown -h now
halt_cmd ${pkgs.upstart}/sbin/shutdown -h now reboot_cmd ${pkgs.upstart}/sbin/shutdown -r now
reboot_cmd ${pkgs.upstart}/sbin/shutdown -r now ${if cfg.defaultUser != "" then "default_user " + cfg.defaultUser else ""}
${if cfg.defaultUser != "" then "default_user " + cfg.defaultUser else ""} ${if cfg.hideCursor then "hidecursor true" else ""}
${if cfg.hideCursor then "hidecursor true" else ""} '';
'';
# Unpack the SLiM theme, or use the default. # Unpack the SLiM theme, or use the default.
slimThemesDir = slimThemesDir =
@ -106,34 +36,77 @@ let
in in
mkIf cfg.enable { {
require = [
options
copyOldOptions
];
services = { ###### interface
xserver = {
displayManager = { options = {
job = {
beforeScript = '' services.xserver.displayManager.slim = {
enable = mkOption {
default = true;
description = ''
Whether to enable SLiM as the display manager.
'';
};
theme = mkOption {
default = null;
example = pkgs.fetchurl {
url = http://download.berlios.de/slim/slim-wave.tar.gz;
sha256 = "0ndr419i5myzcylvxb89m9grl2xyq6fbnyc3lkd711mzlmnnfxdy";
};
description = ''
The theme for the SLiM login manager. If not specified, SLiM's
default theme is used. See <link
xlink:href='http://slim.berlios.de/themes01.php'/> for a
collection of themes.
'';
};
defaultUser = mkOption {
default = "";
example = "login";
description = ''
The default user to load. If you put a username here you
get it automatically loaded into the username field, and
the focus is placed on the password.
'';
};
hideCursor = mkOption {
default = false;
example = true;
description = ''
Hide the mouse cursor on the login screen.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
services.xserver.displayManager.job =
{ beforeScript =
''
rm -f /var/log/slim.log rm -f /var/log/slim.log
''; '';
env = '' env =
''
env SLIM_CFGFILE=${slimConfig} env SLIM_CFGFILE=${slimConfig}
env SLIM_THEMESDIR=${slimThemesDir} env SLIM_THEMESDIR=${slimThemesDir}
''; '';
execCmd = "${pkgs.slim}/bin/slim"; execCmd = "${pkgs.slim}/bin/slim";
};
}; };
};
security.pam.services = [ { name = "slim"; localLogin = true; } ];
}; };
environment = {
etc = [
{ source = ./slim.pam;
target = "pam.d/slim";
}
];
};
} }

5
modules/services/x11/xserver/display-managers/slim.pam
View File

@ -1,5 +0,0 @@
auth include common
account include common
password include common
session include common
session include common-console