* Make the generation of /etc/pam.d more declarative. There now is an
option security.pam.services containing the list of PAM services. For instance, the SLiM module simply declares: security.pam.services = [ { name = "slim"; localLogin = true; } ]; svn path=/nixos/trunk/; revision=16729
This commit is contained in:
parent
88c505c9e0
commit
39bffdb34c
@ -1,5 +0,0 @@
|
|||||||
auth sufficient pam_rootok.so
|
|
||||||
auth required pam_permit.so
|
|
||||||
account required pam_permit.so
|
|
||||||
password required pam_permit.so
|
|
||||||
session required pam_permit.so
|
|
@ -1,13 +0,0 @@
|
|||||||
@isLDAPEnabled@ auth sufficient @pam_ldap@/lib/security/pam_ldap.so
|
|
||||||
auth sufficient @pam_unix2@/lib/security/pam_unix2.so
|
|
||||||
auth required pam_deny.so
|
|
||||||
|
|
||||||
@isLDAPEnabled@ account optional @pam_ldap@/lib/security/pam_ldap.so
|
|
||||||
account required @pam_unix2@/lib/security/pam_unix2.so
|
|
||||||
|
|
||||||
@isLDAPEnabled@ password sufficient @pam_ldap@/lib/security/pam_ldap.so
|
|
||||||
password requisite @pam_unix2@/lib/security/pam_unix2.so nullok
|
|
||||||
@syncSambaPasswords@
|
|
||||||
|
|
||||||
@isLDAPEnabled@ session optional @pam_ldap@/lib/security/pam_ldap.so
|
|
||||||
session required @pam_unix2@/lib/security/pam_unix2.so
|
|
@ -1 +0,0 @@
|
|||||||
session optional @pam_console@/lib/security/pam_console.so debug handlersfile=@pamConsoleHandlers@
|
|
@ -1,4 +0,0 @@
|
|||||||
auth include common
|
|
||||||
account include common
|
|
||||||
password include common
|
|
||||||
session include common
|
|
@ -1,4 +0,0 @@
|
|||||||
auth include common
|
|
||||||
account include common
|
|
||||||
password include common
|
|
||||||
session include common
|
|
@ -1,4 +0,0 @@
|
|||||||
auth include common
|
|
||||||
account include common
|
|
||||||
password include common
|
|
||||||
session include common
|
|
@ -1,5 +0,0 @@
|
|||||||
auth include common
|
|
||||||
account include common
|
|
||||||
password include common
|
|
||||||
session include common
|
|
||||||
session include common-console
|
|
@ -1,5 +0,0 @@
|
|||||||
auth include common
|
|
||||||
account include common
|
|
||||||
password include common
|
|
||||||
session include common
|
|
||||||
session include common-console
|
|
@ -1,4 +0,0 @@
|
|||||||
auth include common
|
|
||||||
account include common
|
|
||||||
password include common
|
|
||||||
session include common
|
|
@ -1,8 +0,0 @@
|
|||||||
auth required pam_warn.so
|
|
||||||
auth required pam_deny.so
|
|
||||||
account required pam_warn.so
|
|
||||||
account required pam_deny.so
|
|
||||||
password required pam_warn.so
|
|
||||||
password required pam_deny.so
|
|
||||||
session required pam_warn.so
|
|
||||||
session required pam_deny.so
|
|
@ -1,4 +0,0 @@
|
|||||||
auth include common
|
|
||||||
account include common
|
|
||||||
password include common
|
|
||||||
session include common
|
|
@ -1,4 +0,0 @@
|
|||||||
auth include common
|
|
||||||
account include common
|
|
||||||
password include common
|
|
||||||
session include common
|
|
@ -1,6 +0,0 @@
|
|||||||
# Used by groupadd etc.
|
|
||||||
auth sufficient pam_rootok.so
|
|
||||||
auth required pam_permit.so
|
|
||||||
account required pam_permit.so
|
|
||||||
password required pam_permit.so
|
|
||||||
session required pam_deny.so
|
|
@ -1,4 +0,0 @@
|
|||||||
auth include common
|
|
||||||
account include common
|
|
||||||
password include common
|
|
||||||
session include common
|
|
@ -1,6 +0,0 @@
|
|||||||
auth sufficient pam_rootok.so
|
|
||||||
auth include common
|
|
||||||
account include common
|
|
||||||
password include common
|
|
||||||
session include common
|
|
||||||
session optional pam_xauth.so xauthpath=@xauth@/bin/xauth systemuser=99
|
|
@ -1,5 +0,0 @@
|
|||||||
auth sufficient pam_rootok.so
|
|
||||||
auth required pam_permit.so
|
|
||||||
account required pam_permit.so
|
|
||||||
password required pam_permit.so
|
|
||||||
session required pam_permit.so
|
|
@ -1,4 +0,0 @@
|
|||||||
auth include common
|
|
||||||
account include common
|
|
||||||
password include common
|
|
||||||
session include common
|
|
@ -3,8 +3,12 @@
|
|||||||
|
|
||||||
{config, pkgs, ...}:
|
{config, pkgs, ...}:
|
||||||
|
|
||||||
|
with pkgs.lib;
|
||||||
|
|
||||||
let
|
let
|
||||||
|
|
||||||
|
inherit (pkgs) pam_unix2 pam_console pam_ldap;
|
||||||
|
|
||||||
# !!! ugh, these files shouldn't be created here.
|
# !!! ugh, these files shouldn't be created here.
|
||||||
pamConsoleHandlers = pkgs.writeText "console.handlers" ''
|
pamConsoleHandlers = pkgs.writeText "console.handlers" ''
|
||||||
console consoledevs /dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
|
console consoledevs /dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
|
||||||
@ -14,45 +18,122 @@ let
|
|||||||
|
|
||||||
pamConsolePerms = ./console.perms;
|
pamConsolePerms = ./console.perms;
|
||||||
|
|
||||||
generatePAMConfig = program:
|
makePAMService =
|
||||||
let isLDAPEnabled = config.users.ldap.enable; in
|
{ name
|
||||||
{ source = pkgs.substituteAll {
|
, # If set, root doesn't need to authenticate (e.g. for the "chsh"
|
||||||
src = ./pam.d + ("/" + program);
|
# service).
|
||||||
inherit (pkgs) pam_unix2 pam_console;
|
rootOK ? false
|
||||||
pam_ldap =
|
, # If set, this is a local login (e.g. virtual console or X), so
|
||||||
if isLDAPEnabled
|
# the user gets ownership of audio devices etc.
|
||||||
then pkgs.pam_ldap
|
localLogin ? false
|
||||||
else "/no-such-path";
|
, # Whether to forward XAuth keys between users. Mostly useful
|
||||||
inherit (pkgs.xorg) xauth;
|
# for "su".
|
||||||
inherit pamConsoleHandlers;
|
forwardXAuth ? false
|
||||||
isLDAPEnabled = if isLDAPEnabled then "" else "#";
|
}:
|
||||||
syncSambaPasswords = if config.services.samba.syncPasswordsByPam
|
|
||||||
then "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"
|
{ source = pkgs.writeText "${name}.pam"
|
||||||
else "# change samba configuration options to make passwd sync the samba auth database as well here..";
|
# !!! TODO: move the LDAP stuff to the LDAP module, and the
|
||||||
};
|
# Samba stuff to the Samba module. This requires that the PAM
|
||||||
target = "pam.d/" + program;
|
# module provides the right hooks.
|
||||||
|
''
|
||||||
|
# Account management.
|
||||||
|
${optionalString config.users.ldap.enable
|
||||||
|
"account optional ${pam_ldap}/lib/security/pam_ldap.so"}
|
||||||
|
account required ${pam_unix2}/lib/security/pam_unix2.so
|
||||||
|
|
||||||
|
# Authentication management.
|
||||||
|
${optionalString rootOK
|
||||||
|
"auth sufficient pam_rootok.so"}
|
||||||
|
${optionalString config.users.ldap.enable
|
||||||
|
"auth sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
|
||||||
|
auth sufficient ${pam_unix2}/lib/security/pam_unix2.so
|
||||||
|
auth required pam_deny.so
|
||||||
|
|
||||||
|
# Password management.
|
||||||
|
${optionalString config.users.ldap.enable
|
||||||
|
"password sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
|
||||||
|
password requisite ${pam_unix2}/lib/security/pam_unix2.so nullok
|
||||||
|
${optionalString config.services.samba.syncPasswordsByPam
|
||||||
|
"password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"}
|
||||||
|
|
||||||
|
# Session management.
|
||||||
|
${optionalString config.users.ldap.enable
|
||||||
|
"session optional ${pam_ldap}/lib/security/pam_ldap.so"}
|
||||||
|
session required ${pam_unix2}/lib/security/pam_unix2.so
|
||||||
|
${optionalString localLogin
|
||||||
|
"session optional ${pam_console}/lib/security/pam_console.so debug handlersfile=${pamConsoleHandlers}"}
|
||||||
|
${optionalString forwardXAuth
|
||||||
|
"session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
|
||||||
|
'';
|
||||||
|
target = "pam.d/${name}";
|
||||||
};
|
};
|
||||||
|
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
environment.etc = map generatePAMConfig
|
|
||||||
[ "login"
|
###### interface
|
||||||
"su"
|
|
||||||
"other"
|
options = {
|
||||||
"passwd"
|
|
||||||
"shadow"
|
security.pam.services = mkOption {
|
||||||
"sshd"
|
default = [];
|
||||||
"lshd"
|
example = [ { name = "chsh"; rootOK = true; } ];
|
||||||
"useradd"
|
description =
|
||||||
"chsh"
|
''
|
||||||
"xlock"
|
This option defines the PAM services. A service typically
|
||||||
"samba"
|
corresponds to a program that uses PAM,
|
||||||
"cups"
|
e.g. <command>login</command> or <command>passwd</command>.
|
||||||
"ftp"
|
Each element of this list is an attribute set describing a
|
||||||
"ejabberd"
|
service. The attribute <varname>name</varname> specifies
|
||||||
"kde"
|
the name of the service. The attribute
|
||||||
"common"
|
<varname>rootOK</varname> specifies whether the root user is
|
||||||
"common-console" # shared stuff for interactive local sessions
|
allowed to use this service without authentication. The
|
||||||
];
|
attribute <varname>localLogin</varname> specifies whether
|
||||||
|
this is a local login service (e.g. <command>xdm</command>),
|
||||||
|
which implies that the user gets ownership of devices such
|
||||||
|
as audio and CD-ROM drives. The
|
||||||
|
attribute <varname>forwardXAuth</varname> specifies whether
|
||||||
|
X authentication keys should be passed from the calling user
|
||||||
|
to the target user (e.g. for <command>su</command>).
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
###### implementation
|
||||||
|
|
||||||
|
config = {
|
||||||
|
|
||||||
|
environment.systemPackages =
|
||||||
|
# Include the PAM modules in the system path mostly for the manpages.
|
||||||
|
[ pkgs.pam pam_unix2 ]
|
||||||
|
++ optional config.users.ldap.enable pam_ldap;
|
||||||
|
|
||||||
|
environment.etc = map makePAMService config.security.pam.services;
|
||||||
|
|
||||||
|
security.pam.services =
|
||||||
|
# Most of these should be moved to specific modules.
|
||||||
|
[ { name = "cups"; }
|
||||||
|
{ name = "ejabberd"; }
|
||||||
|
{ name = "ftp"; }
|
||||||
|
{ name = "lshd"; }
|
||||||
|
{ name = "passwd"; }
|
||||||
|
{ name = "samba"; }
|
||||||
|
{ name = "sshd"; }
|
||||||
|
{ name = "xlock"; }
|
||||||
|
{ name = "chsh"; rootOK = true; }
|
||||||
|
{ name = "su"; rootOK = true; forwardXAuth = true; }
|
||||||
|
# Note: useradd, groupadd etc. aren't setuid root, so it
|
||||||
|
# doesn't really matter what the PAM config says as long as it
|
||||||
|
# lets root in.
|
||||||
|
{ name = "useradd"; rootOK = true; }
|
||||||
|
# Used by groupadd etc.
|
||||||
|
{ name = "shadow"; rootOK = true; }
|
||||||
|
{ name = "login"; localLogin = true; }
|
||||||
|
];
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -1,79 +1,65 @@
|
|||||||
{pkgs, config, ...}:
|
{pkgs, config, ...}:
|
||||||
|
|
||||||
###### interface
|
with pkgs.lib;
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (pkgs.lib) mkOption;
|
|
||||||
|
cfg = config.security.sudo;
|
||||||
|
|
||||||
|
inherit (pkgs) sudo;
|
||||||
|
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
|
||||||
|
###### interface
|
||||||
|
|
||||||
options = {
|
options = {
|
||||||
security = {
|
|
||||||
sudo = {
|
|
||||||
|
|
||||||
enable = mkOption {
|
security.sudo.enable = mkOption {
|
||||||
default = true;
|
default = true;
|
||||||
description = "
|
description =
|
||||||
Whether to enable the <command>sudo</command> command, which
|
''
|
||||||
allows non-root users to execute commands as root.
|
Whether to enable the <command>sudo</command> command, which
|
||||||
";
|
allows non-root users to execute commands as root.
|
||||||
};
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
configFile = mkOption {
|
security.sudo.configFile = mkOption {
|
||||||
default = "
|
# Note: if syntax errors are detected in this file, the NixOS
|
||||||
# WARNING: do not edit this file directly or with \"visudo\". Instead,
|
# configuration will fail to build.
|
||||||
# edit the source file in /etc/nixos/nixos/etc/sudoers.
|
default =
|
||||||
|
''
|
||||||
|
# WARNING: do not edit this file directly or with "visudo". Instead,
|
||||||
|
# edit the source file in /etc/nixos/nixos/etc/sudoers.
|
||||||
|
|
||||||
# \"root\" is allowed to do anything.
|
# "root" is allowed to do anything.
|
||||||
root ALL=(ALL) SETENV: ALL
|
root ALL=(ALL) SETENV: ALL
|
||||||
|
|
||||||
# Users in the \"wheel\" group can do anything.
|
# Users in the "wheel" group can do anything.
|
||||||
%wheel ALL=(ALL) SETENV: ALL
|
%wheel ALL=(ALL) SETENV: ALL
|
||||||
";
|
'';
|
||||||
description = "
|
description =
|
||||||
This string contains the contents of the
|
''
|
||||||
<filename>sudoers</filename> file.
|
This string contains the contents of the
|
||||||
";
|
<filename>sudoers</filename> file.
|
||||||
# If syntax errors are detected in this file, the NixOS
|
'';
|
||||||
# configuration will fail to build.
|
|
||||||
};
|
|
||||||
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
in
|
|
||||||
|
|
||||||
###### implementation
|
|
||||||
let
|
|
||||||
cfg = config.security.sudo;
|
|
||||||
inherit (pkgs.lib) mkIf;
|
|
||||||
inherit (pkgs) sudo;
|
|
||||||
in
|
|
||||||
|
|
||||||
mkIf cfg.enable {
|
###### implementation
|
||||||
require = [
|
|
||||||
options
|
|
||||||
|
|
||||||
# config.environment.etc
|
config = mkIf cfg.enable {
|
||||||
# ../etc/default.nix
|
|
||||||
|
|
||||||
# ? # config.environment.extraPackages
|
security.extraSetuidPrograms = [ "sudo" ];
|
||||||
# ? # config.security.extraSetuidPrograms
|
|
||||||
];
|
|
||||||
|
|
||||||
security = {
|
environment.systemPackages = [ sudo ];
|
||||||
extraSetuidPrograms = [
|
|
||||||
"sudo"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
environment = {
|
security.pam.services = [ { name = "sudo"; } ];
|
||||||
extraPackages = [ sudo ];
|
|
||||||
|
|
||||||
etc = [
|
environment.etc = singleton
|
||||||
{
|
{ source = pkgs.runCommand "sudoers"
|
||||||
source = ./sudo.pam;
|
|
||||||
target = "pam.d/sudo";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
source = pkgs.runCommand "sudoers"
|
|
||||||
{ src = pkgs.writeText "sudoers-in" cfg.configFile; }
|
{ src = pkgs.writeText "sudoers-in" cfg.configFile; }
|
||||||
# Make sure that the sudoers file is syntactically valid.
|
# Make sure that the sudoers file is syntactically valid.
|
||||||
# (currently disabled - NIXOS-66)
|
# (currently disabled - NIXOS-66)
|
||||||
@ -81,7 +67,8 @@ mkIf cfg.enable {
|
|||||||
"cp $src $out";
|
"cp $src $out";
|
||||||
target = "sudoers";
|
target = "sudoers";
|
||||||
mode = "0440";
|
mode = "0440";
|
||||||
}
|
};
|
||||||
];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -1,4 +0,0 @@
|
|||||||
auth include common
|
|
||||||
account include common
|
|
||||||
password include common
|
|
||||||
session include common
|
|
@ -1,44 +1,6 @@
|
|||||||
{pkgs, config, ...}:
|
{pkgs, config, ...}:
|
||||||
|
|
||||||
###### interface
|
with pkgs.lib;
|
||||||
let
|
|
||||||
inherit (pkgs.lib) mkOption mkIf;
|
|
||||||
|
|
||||||
options = {
|
|
||||||
services = {
|
|
||||||
dovecot = {
|
|
||||||
enable = mkOption {
|
|
||||||
default = false;
|
|
||||||
description = "Whether to enable dovecot POP3/IMAP server.";
|
|
||||||
};
|
|
||||||
|
|
||||||
user = mkOption {
|
|
||||||
default = "dovecot";
|
|
||||||
description = "dovecot user name";
|
|
||||||
};
|
|
||||||
group = mkOption {
|
|
||||||
default = "dovecot";
|
|
||||||
description = "dovecot group name";
|
|
||||||
};
|
|
||||||
|
|
||||||
sslServerCert = mkOption {
|
|
||||||
default = "";
|
|
||||||
description = "Server certificate";
|
|
||||||
};
|
|
||||||
sslCACert = mkOption {
|
|
||||||
default = "";
|
|
||||||
description = "CA certificate used by server certificate";
|
|
||||||
};
|
|
||||||
sslServerKey = mkOption {
|
|
||||||
default = "";
|
|
||||||
description = "Server key";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
in
|
|
||||||
|
|
||||||
###### implementation
|
|
||||||
|
|
||||||
let
|
let
|
||||||
startingDependency = if config.services.gw6c.enable then "gw6c" else "network-interfaces";
|
startingDependency = if config.services.gw6c.enable then "gw6c" else "network-interfaces";
|
||||||
@ -46,99 +8,129 @@ let
|
|||||||
cfg = config.services.dovecot;
|
cfg = config.services.dovecot;
|
||||||
|
|
||||||
dovecotConf =
|
dovecotConf =
|
||||||
''
|
''
|
||||||
base_dir = /var/run/dovecot/
|
base_dir = /var/run/dovecot/
|
||||||
|
|
||||||
protocols = imap imaps pop3 pop3s
|
protocols = imap imaps pop3 pop3s
|
||||||
''
|
''
|
||||||
+ (if cfg.sslServerCert!="" then
|
+ (if cfg.sslServerCert!="" then
|
||||||
''
|
''
|
||||||
ssl_cert_file = ${cfg.sslServerCert}
|
ssl_cert_file = ${cfg.sslServerCert}
|
||||||
ssl_key_file = ${cfg.sslServerKey}
|
ssl_key_file = ${cfg.sslServerKey}
|
||||||
ssl_ca_file = ${cfg.sslCACert}
|
ssl_ca_file = ${cfg.sslCACert}
|
||||||
'' else ''
|
'' else ''
|
||||||
ssl_disable = yes
|
ssl_disable = yes
|
||||||
disable_plaintext_auth = no
|
disable_plaintext_auth = no
|
||||||
'')
|
'')
|
||||||
|
|
||||||
|
+ ''
|
||||||
|
login_user = ${cfg.user}
|
||||||
|
login_chroot = no
|
||||||
|
|
||||||
+ ''
|
mail_location = maildir:/var/spool/mail/%u
|
||||||
login_user = ${cfg.user}
|
|
||||||
login_chroot = no
|
|
||||||
|
|
||||||
mail_location = maildir:/var/spool/mail/%u
|
maildir_copy_with_hardlinks = yes
|
||||||
|
|
||||||
maildir_copy_with_hardlinks = yes
|
auth default {
|
||||||
|
mechanisms = plain login
|
||||||
auth default {
|
userdb passwd {
|
||||||
mechanisms = plain login
|
}
|
||||||
userdb passwd {
|
passdb pam {
|
||||||
|
}
|
||||||
|
user = root
|
||||||
}
|
}
|
||||||
passdb pam {
|
auth_debug = yes
|
||||||
}
|
auth_verbose = yes
|
||||||
user = root
|
|
||||||
}
|
|
||||||
auth_debug = yes
|
|
||||||
auth_verbose = yes
|
|
||||||
|
|
||||||
pop3_uidl_format = %08Xv%08Xu
|
pop3_uidl_format = %08Xv%08Xu
|
||||||
|
|
||||||
|
log_path = /var/log/dovecot.log
|
||||||
|
'';
|
||||||
|
|
||||||
log_path = /var/log/dovecot.log
|
|
||||||
''
|
|
||||||
;
|
|
||||||
confFile = pkgs.writeText "dovecot.conf" dovecotConf;
|
confFile = pkgs.writeText "dovecot.conf" dovecotConf;
|
||||||
|
|
||||||
pamdFile = pkgs.writeText "dovecot.pam" ''
|
|
||||||
auth include common
|
|
||||||
account include common
|
|
||||||
'';
|
|
||||||
|
|
||||||
in
|
in
|
||||||
|
|
||||||
mkIf config.services.dovecot.enable {
|
{
|
||||||
|
|
||||||
require = [
|
###### interface
|
||||||
options
|
|
||||||
];
|
options = {
|
||||||
|
|
||||||
|
services.dovecot = {
|
||||||
|
|
||||||
|
enable = mkOption {
|
||||||
|
default = false;
|
||||||
|
description = "Whether to enable the Dovecot POP3/IMAP server.";
|
||||||
|
};
|
||||||
|
|
||||||
|
user = mkOption {
|
||||||
|
default = "dovecot";
|
||||||
|
description = "Dovecot user name.";
|
||||||
|
};
|
||||||
|
|
||||||
|
group = mkOption {
|
||||||
|
default = "dovecot";
|
||||||
|
description = "Dovecot group name.";
|
||||||
|
};
|
||||||
|
|
||||||
|
sslServerCert = mkOption {
|
||||||
|
default = "";
|
||||||
|
description = "Server certificate";
|
||||||
|
};
|
||||||
|
|
||||||
|
sslCACert = mkOption {
|
||||||
|
default = "";
|
||||||
|
description = "CA certificate used by the server certificate.";
|
||||||
|
};
|
||||||
|
|
||||||
|
sslServerKey = mkOption {
|
||||||
|
default = "";
|
||||||
|
description = "Server key.";
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
environment = {
|
|
||||||
etc = [{
|
|
||||||
source = pamdFile;
|
|
||||||
target = "pam.d/dovecot";
|
|
||||||
}];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
users = {
|
|
||||||
extraUsers = [{
|
###### implementation
|
||||||
name = cfg.user;
|
|
||||||
uid = config.ids.uids.dovecot;
|
config = mkIf config.services.dovecot.enable {
|
||||||
description = "Dovecot user";
|
|
||||||
group = cfg.group;
|
security.pam.services = [ { name = "dovecot"; } ];
|
||||||
}];
|
|
||||||
extraGroups = [{
|
users.extraUsers = singleton
|
||||||
name = cfg.group;
|
{ name = cfg.user;
|
||||||
gid = config.ids.gids.dovecot;
|
uid = config.ids.uids.dovecot;
|
||||||
}];
|
description = "Dovecot user";
|
||||||
|
group = cfg.group;
|
||||||
|
};
|
||||||
|
|
||||||
|
users.extraGroups = singleton
|
||||||
|
{ name = cfg.group;
|
||||||
|
gid = config.ids.gids.dovecot;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.extraJobs = singleton
|
||||||
|
{ name = "dovecot";
|
||||||
|
|
||||||
|
job =
|
||||||
|
''
|
||||||
|
description "Dovecot IMAP/POP3 server"
|
||||||
|
|
||||||
|
start on ${startingDependency}/started
|
||||||
|
stop on never
|
||||||
|
|
||||||
|
start script
|
||||||
|
${pkgs.coreutils}/bin/mkdir -p /var/run/dovecot /var/run/dovecot/login
|
||||||
|
${pkgs.coreutils}/bin/chown -R ${cfg.user}.${cfg.group} /var/run/dovecot
|
||||||
|
end script
|
||||||
|
|
||||||
|
respawn ${pkgs.dovecot}/sbin/dovecot -F -c ${confFile}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
services = {
|
|
||||||
extraJobs = [{
|
|
||||||
name = "dovecot";
|
|
||||||
|
|
||||||
job = ''
|
|
||||||
description "Dovecot IMAP/POP3 server"
|
|
||||||
|
|
||||||
start on ${startingDependency}/started
|
|
||||||
stop on never
|
|
||||||
|
|
||||||
start script
|
|
||||||
${pkgs.coreutils}/bin/mkdir -p /var/run/dovecot /var/run/dovecot/login
|
|
||||||
${pkgs.coreutils}/bin/chown -R ${cfg.user}.${cfg.group} /var/run/dovecot
|
|
||||||
end script
|
|
||||||
|
|
||||||
respawn ${pkgs.dovecot}/sbin/dovecot -F -c ${confFile}
|
|
||||||
'';
|
|
||||||
|
|
||||||
}];
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
@ -1,140 +1,116 @@
|
|||||||
{pkgs, config, ...}:
|
{pkgs, config, ...}:
|
||||||
|
|
||||||
###### interface
|
with pkgs.lib;
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (pkgs.lib) mkOption;
|
|
||||||
|
|
||||||
options = {
|
|
||||||
services = {
|
|
||||||
atd = {
|
|
||||||
|
|
||||||
enable = mkOption {
|
|
||||||
default = true;
|
|
||||||
description = ''
|
|
||||||
Whether to enable the `at' daemon, a command scheduler.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
allowEveryone = mkOption {
|
|
||||||
default = false;
|
|
||||||
description = ''
|
|
||||||
Whether to make /var/spool/at{jobs,spool} writeable
|
|
||||||
by everyone (and sticky). This is normally not needed since
|
|
||||||
the `at' commands are setuid/setgid `atd'.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
};
|
|
||||||
};
|
|
||||||
in
|
|
||||||
|
|
||||||
###### implementation
|
|
||||||
let
|
|
||||||
cfg = config.services.atd;
|
cfg = config.services.atd;
|
||||||
inherit (pkgs.lib) mkIf;
|
|
||||||
inherit (pkgs) at;
|
inherit (pkgs) at;
|
||||||
|
|
||||||
user = {
|
job =
|
||||||
name = "atd";
|
''
|
||||||
uid = config.ids.uids.atd;
|
description "at daemon (atd)"
|
||||||
description = "atd user";
|
|
||||||
home = "/var/empty";
|
|
||||||
};
|
|
||||||
|
|
||||||
group = {
|
start on startup
|
||||||
name = "atd";
|
stop on shutdown
|
||||||
gid = config.ids.gids.atd;
|
|
||||||
};
|
|
||||||
|
|
||||||
job = ''
|
start script
|
||||||
description "at daemon (atd)"
|
# Snippets taken and adapted from the original `install' rule of
|
||||||
|
# the makefile.
|
||||||
|
|
||||||
start on startup
|
# We assume these values are those actually used in Nixpkgs for
|
||||||
stop on shutdown
|
# `at'.
|
||||||
|
spooldir=/var/spool/atspool
|
||||||
|
jobdir=/var/spool/atjobs
|
||||||
|
etcdir=/etc/at
|
||||||
|
|
||||||
start script
|
for dir in "$spooldir" "$jobdir" "$etcdir"
|
||||||
# Snippets taken and adapted from the original `install' rule of
|
do
|
||||||
# the makefile.
|
if [ ! -d "$dir" ]
|
||||||
|
then
|
||||||
|
mkdir -p "$dir" && chown atd:atd "$dir"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
chmod 1770 "$spooldir" "$jobdir"
|
||||||
|
${if cfg.allowEveryone then ''chmod a+rwxt "$spooldir" "$jobdir" '' else ""}
|
||||||
|
if [ ! -f "$etcdir"/at.deny ]
|
||||||
|
then
|
||||||
|
touch "$etcdir"/at.deny && \
|
||||||
|
chown root:atd "$etcdir"/at.deny && \
|
||||||
|
chmod 640 "$etcdir"/at.deny
|
||||||
|
fi
|
||||||
|
if [ ! -f "$jobdir"/.SEQ ]
|
||||||
|
then
|
||||||
|
touch "$jobdir"/.SEQ && \
|
||||||
|
chown atd:atd "$jobdir"/.SEQ && \
|
||||||
|
chmod 600 "$jobdir"/.SEQ
|
||||||
|
fi
|
||||||
|
end script
|
||||||
|
|
||||||
# We assume these values are those actually used in Nixpkgs for
|
respawn ${at}/sbin/atd
|
||||||
# `at'.
|
'';
|
||||||
spooldir=/var/spool/atspool
|
|
||||||
jobdir=/var/spool/atjobs
|
|
||||||
etcdir=/etc/at
|
|
||||||
|
|
||||||
for dir in "$spooldir" "$jobdir" "$etcdir"
|
|
||||||
do
|
|
||||||
if [ ! -d "$dir" ]
|
|
||||||
then
|
|
||||||
mkdir -p "$dir" && chown atd:atd "$dir"
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
chmod 1770 "$spooldir" "$jobdir"
|
|
||||||
${if cfg.allowEveryone then ''chmod a+rwxt "$spooldir" "$jobdir" '' else ""}
|
|
||||||
if [ ! -f "$etcdir"/at.deny ]
|
|
||||||
then
|
|
||||||
touch "$etcdir"/at.deny && \
|
|
||||||
chown root:atd "$etcdir"/at.deny && \
|
|
||||||
chmod 640 "$etcdir"/at.deny
|
|
||||||
fi
|
|
||||||
if [ ! -f "$jobdir"/.SEQ ]
|
|
||||||
then
|
|
||||||
touch "$jobdir"/.SEQ && \
|
|
||||||
chown atd:atd "$jobdir"/.SEQ && \
|
|
||||||
chmod 600 "$jobdir"/.SEQ
|
|
||||||
fi
|
|
||||||
end script
|
|
||||||
|
|
||||||
respawn ${at}/sbin/atd
|
|
||||||
'';
|
|
||||||
in
|
in
|
||||||
|
|
||||||
mkIf cfg.enable {
|
{
|
||||||
require = [
|
|
||||||
options
|
|
||||||
|
|
||||||
# config.services.extraJobs
|
###### interface
|
||||||
#../upstart-jobs/default.nix
|
|
||||||
|
|
||||||
# config.environment.etc
|
options = {
|
||||||
#../etc/default.nix
|
|
||||||
|
|
||||||
# users.*
|
services.atd.enable = mkOption {
|
||||||
#../system/users-groups.nix
|
default = true;
|
||||||
|
description = ''
|
||||||
|
Whether to enable the `at' daemon, a command scheduler.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
# ? # config.environment.extraPackages
|
services.atd.allowEveryone = mkOption {
|
||||||
# ? # config.security.extraSetuidPrograms
|
default = false;
|
||||||
];
|
description = ''
|
||||||
|
Whether to make /var/spool/at{jobs,spool} writeable
|
||||||
|
by everyone (and sticky). This is normally not needed since
|
||||||
|
the `at' commands are setuid/setgid `atd'.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
security = {
|
|
||||||
setuidOwners = map (program: {
|
|
||||||
inherit program;
|
|
||||||
owner = "atd";
|
|
||||||
group = "atd";
|
|
||||||
setuid = true;
|
|
||||||
setgid = true;
|
|
||||||
}) [ "at" "atq" "atrm" ];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
environment = {
|
|
||||||
extraPackages = [ at ];
|
|
||||||
|
|
||||||
etc = [{
|
###### implementation
|
||||||
source = ./atd.pam;
|
|
||||||
target = "pam.d/atd";
|
config = mkIf cfg.enable {
|
||||||
}];
|
|
||||||
|
security.setuidOwners = map (program: {
|
||||||
|
inherit program;
|
||||||
|
owner = "atd";
|
||||||
|
group = "atd";
|
||||||
|
setuid = true;
|
||||||
|
setgid = true;
|
||||||
|
}) [ "at" "atq" "atrm" ];
|
||||||
|
|
||||||
|
environment.systemPackages = [ at ];
|
||||||
|
|
||||||
|
security.pam.services = [ { name = "atd"; } ];
|
||||||
|
|
||||||
|
users.extraUsers = singleton
|
||||||
|
{ name = "atd";
|
||||||
|
uid = config.ids.uids.atd;
|
||||||
|
description = "atd user";
|
||||||
|
home = "/var/empty";
|
||||||
|
};
|
||||||
|
|
||||||
|
users.extraGroups = singleton
|
||||||
|
{ name = "atd";
|
||||||
|
gid = config.ids.gids.atd;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.extraJobs = singleton # !!! convert to job
|
||||||
|
{ name = "atd";
|
||||||
|
inherit job;
|
||||||
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
users = {
|
|
||||||
extraUsers = [user];
|
|
||||||
extraGroups = [group];
|
|
||||||
};
|
|
||||||
|
|
||||||
services = {
|
|
||||||
extraJobs = [{
|
|
||||||
name = "atd";
|
|
||||||
inherit job;
|
|
||||||
}];
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
@ -1,4 +0,0 @@
|
|||||||
auth include common
|
|
||||||
account include common
|
|
||||||
password include common
|
|
||||||
session include common
|
|
@ -1,35 +1,15 @@
|
|||||||
{pkgs, config, ...}:
|
{pkgs, config, ...}:
|
||||||
|
|
||||||
###### interface
|
with pkgs.lib;
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (pkgs.lib) mkOption;
|
|
||||||
|
|
||||||
options = {
|
dmcfg = config.services.xserver.displayManager;
|
||||||
|
|
||||||
services.xserver.displayManager.kdm = {
|
|
||||||
enable = mkOption {
|
|
||||||
default = false;
|
|
||||||
description = "
|
|
||||||
Whether to enable the KDE display manager.
|
|
||||||
";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
};
|
|
||||||
|
|
||||||
in
|
|
||||||
|
|
||||||
###### implementation
|
|
||||||
let
|
|
||||||
xcfg = config.services.xserver;
|
|
||||||
dmcfg = xcfg.displayManager;
|
|
||||||
cfg = dmcfg.kdm;
|
cfg = dmcfg.kdm;
|
||||||
|
|
||||||
inherit (pkgs.lib) mkIf;
|
|
||||||
inherit (pkgs) stdenv;
|
|
||||||
inherit (pkgs.kde42) kdebase_workspace;
|
inherit (pkgs.kde42) kdebase_workspace;
|
||||||
|
|
||||||
kdmrc = stdenv.mkDerivation {
|
kdmrc = pkgs.stdenv.mkDerivation {
|
||||||
name = "kdmrc";
|
name = "kdmrc";
|
||||||
# -e "s|Session=${kdebase_workspace}/share/config/kdm/Xsession|Session=${dmcfg.session.script}|" \
|
# -e "s|Session=${kdebase_workspace}/share/config/kdm/Xsession|Session=${dmcfg.session.script}|" \
|
||||||
buildCommand = ''
|
buildCommand = ''
|
||||||
@ -50,20 +30,36 @@ let
|
|||||||
|
|
||||||
in
|
in
|
||||||
|
|
||||||
mkIf cfg.enable {
|
{
|
||||||
require = [
|
|
||||||
options
|
|
||||||
];
|
|
||||||
|
|
||||||
services = {
|
###### interface
|
||||||
xserver = {
|
|
||||||
displayManager = {
|
options = {
|
||||||
job = {
|
|
||||||
beforeScript = "";
|
services.xserver.displayManager.kdm = {
|
||||||
env = "";
|
enable = mkOption {
|
||||||
execCmd = "${kdebase_workspace}/bin/kdm -config ${kdmrc}/kdmrc";
|
default = false;
|
||||||
};
|
description = ''
|
||||||
|
Whether to enable the KDE display manager.
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
###### implementation
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
|
||||||
|
services.xserver.displayManager.job =
|
||||||
|
{ beforeScript = "";
|
||||||
|
env = "";
|
||||||
|
execCmd = "${kdebase_workspace}/bin/kdm -config ${kdmrc}/kdmrc";
|
||||||
|
};
|
||||||
|
|
||||||
|
security.pam.services = [ { name = "slim"; localLogin = true; } ];
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -1,94 +1,24 @@
|
|||||||
{pkgs, config, ...}:
|
{pkgs, config, ...}:
|
||||||
|
|
||||||
###### interface
|
with pkgs.lib;
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (pkgs.lib) mkOption;
|
|
||||||
|
|
||||||
slimOptions = {
|
dmcfg = config.services.xserver.displayManager;
|
||||||
|
|
||||||
theme = mkOption {
|
|
||||||
default = null;
|
|
||||||
example = pkgs.fetchurl {
|
|
||||||
url = http://download.berlios.de/slim/slim-wave.tar.gz;
|
|
||||||
sha256 = "0ndr419i5myzcylvxb89m9grl2xyq6fbnyc3lkd711mzlmnnfxdy";
|
|
||||||
};
|
|
||||||
description = "
|
|
||||||
The theme for the SLiM login manager. If not specified, SLiM's
|
|
||||||
default theme is used. See <link
|
|
||||||
xlink:href='http://slim.berlios.de/themes01.php'/> for a
|
|
||||||
collection of themes.
|
|
||||||
";
|
|
||||||
};
|
|
||||||
|
|
||||||
defaultUser = mkOption {
|
|
||||||
default = "";
|
|
||||||
example = "login";
|
|
||||||
description = "
|
|
||||||
The default user to load. If you put a username here you
|
|
||||||
get it automatically loaded into the username field, and
|
|
||||||
the focus is placed on the password.
|
|
||||||
";
|
|
||||||
};
|
|
||||||
|
|
||||||
hideCursor = mkOption {
|
|
||||||
default = false;
|
|
||||||
example = true;
|
|
||||||
description = "
|
|
||||||
Hide the mouse cursor on the login screen.
|
|
||||||
";
|
|
||||||
};
|
|
||||||
|
|
||||||
};
|
|
||||||
|
|
||||||
options = { services = { xserver = { displayManager = {
|
|
||||||
|
|
||||||
slim = slimOptions // {
|
|
||||||
|
|
||||||
enable = mkOption {
|
|
||||||
default = true;
|
|
||||||
description = "
|
|
||||||
Whether to enable slim as the display manager.
|
|
||||||
";
|
|
||||||
};
|
|
||||||
|
|
||||||
};
|
|
||||||
|
|
||||||
}; /* displayManager */ }; /* xserver */ }; /* services */ };
|
|
||||||
|
|
||||||
copyOldOptions = { services = { xserver = {
|
|
||||||
|
|
||||||
# Declare old options.
|
|
||||||
slim = slimOptions;
|
|
||||||
|
|
||||||
# Copy the old options into the new options.
|
|
||||||
displayManager = {
|
|
||||||
slim = config.services.xserver.slim;
|
|
||||||
};
|
|
||||||
|
|
||||||
}; /* xserver */ }; /* services */ };
|
|
||||||
|
|
||||||
in
|
|
||||||
|
|
||||||
###### implementation
|
|
||||||
let
|
|
||||||
xcfg = config.services.xserver;
|
|
||||||
dmcfg = xcfg.displayManager;
|
|
||||||
cfg = dmcfg.slim;
|
cfg = dmcfg.slim;
|
||||||
|
|
||||||
inherit (pkgs.lib) mkIf;
|
slimConfig = pkgs.writeText "slim.cfg"
|
||||||
|
''
|
||||||
slimConfig = pkgs.writeText "slim.cfg" ''
|
xauth_path ${dmcfg.xauthBin}
|
||||||
xauth_path ${dmcfg.xauthBin}
|
default_xserver ${dmcfg.xserverBin}
|
||||||
default_xserver ${dmcfg.xserverBin}
|
xserver_arguments ${dmcfg.xserverArgs}
|
||||||
xserver_arguments ${dmcfg.xserverArgs}
|
sessions ${pkgs.lib.concatStringsSep "," dmcfg.session.names}
|
||||||
sessions ${pkgs.lib.concatStringsSep "," dmcfg.session.names}
|
login_cmd exec ${pkgs.stdenv.bash}/bin/sh ${dmcfg.session.script} "%session"
|
||||||
login_cmd exec ${pkgs.stdenv.bash}/bin/sh ${dmcfg.session.script} "%session"
|
halt_cmd ${pkgs.upstart}/sbin/shutdown -h now
|
||||||
halt_cmd ${pkgs.upstart}/sbin/shutdown -h now
|
reboot_cmd ${pkgs.upstart}/sbin/shutdown -r now
|
||||||
reboot_cmd ${pkgs.upstart}/sbin/shutdown -r now
|
${if cfg.defaultUser != "" then "default_user " + cfg.defaultUser else ""}
|
||||||
${if cfg.defaultUser != "" then "default_user " + cfg.defaultUser else ""}
|
${if cfg.hideCursor then "hidecursor true" else ""}
|
||||||
${if cfg.hideCursor then "hidecursor true" else ""}
|
'';
|
||||||
'';
|
|
||||||
|
|
||||||
|
|
||||||
# Unpack the SLiM theme, or use the default.
|
# Unpack the SLiM theme, or use the default.
|
||||||
slimThemesDir =
|
slimThemesDir =
|
||||||
@ -106,34 +36,77 @@ let
|
|||||||
|
|
||||||
in
|
in
|
||||||
|
|
||||||
mkIf cfg.enable {
|
{
|
||||||
require = [
|
|
||||||
options
|
|
||||||
copyOldOptions
|
|
||||||
];
|
|
||||||
|
|
||||||
services = {
|
###### interface
|
||||||
xserver = {
|
|
||||||
displayManager = {
|
options = {
|
||||||
job = {
|
|
||||||
beforeScript = ''
|
services.xserver.displayManager.slim = {
|
||||||
|
|
||||||
|
enable = mkOption {
|
||||||
|
default = true;
|
||||||
|
description = ''
|
||||||
|
Whether to enable SLiM as the display manager.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
theme = mkOption {
|
||||||
|
default = null;
|
||||||
|
example = pkgs.fetchurl {
|
||||||
|
url = http://download.berlios.de/slim/slim-wave.tar.gz;
|
||||||
|
sha256 = "0ndr419i5myzcylvxb89m9grl2xyq6fbnyc3lkd711mzlmnnfxdy";
|
||||||
|
};
|
||||||
|
description = ''
|
||||||
|
The theme for the SLiM login manager. If not specified, SLiM's
|
||||||
|
default theme is used. See <link
|
||||||
|
xlink:href='http://slim.berlios.de/themes01.php'/> for a
|
||||||
|
collection of themes.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
defaultUser = mkOption {
|
||||||
|
default = "";
|
||||||
|
example = "login";
|
||||||
|
description = ''
|
||||||
|
The default user to load. If you put a username here you
|
||||||
|
get it automatically loaded into the username field, and
|
||||||
|
the focus is placed on the password.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
hideCursor = mkOption {
|
||||||
|
default = false;
|
||||||
|
example = true;
|
||||||
|
description = ''
|
||||||
|
Hide the mouse cursor on the login screen.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
###### implementation
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
|
||||||
|
services.xserver.displayManager.job =
|
||||||
|
{ beforeScript =
|
||||||
|
''
|
||||||
rm -f /var/log/slim.log
|
rm -f /var/log/slim.log
|
||||||
'';
|
'';
|
||||||
env = ''
|
env =
|
||||||
|
''
|
||||||
env SLIM_CFGFILE=${slimConfig}
|
env SLIM_CFGFILE=${slimConfig}
|
||||||
env SLIM_THEMESDIR=${slimThemesDir}
|
env SLIM_THEMESDIR=${slimThemesDir}
|
||||||
'';
|
'';
|
||||||
execCmd = "${pkgs.slim}/bin/slim";
|
execCmd = "${pkgs.slim}/bin/slim";
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
|
||||||
|
security.pam.services = [ { name = "slim"; localLogin = true; } ];
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
environment = {
|
|
||||||
etc = [
|
|
||||||
{ source = ./slim.pam;
|
|
||||||
target = "pam.d/slim";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
@ -1,5 +0,0 @@
|
|||||||
auth include common
|
|
||||||
account include common
|
|
||||||
password include common
|
|
||||||
session include common
|
|
||||||
session include common-console
|
|
Loading…
x
Reference in New Issue
Block a user