diff --git a/modules/programs/shadow.nix b/modules/programs/shadow.nix
index 711156918df..81286d9bb5c 100644
--- a/modules/programs/shadow.nix
+++ b/modules/programs/shadow.nix
@@ -87,9 +87,7 @@ in
{ name = "groupmod"; rootOK = true; }
{ name = "groupmems"; rootOK = true; }
{ name = "groupdel"; rootOK = true; }
- { name = "login"; ownDevices = true; allowNullPassword = true;
- limits = config.security.pam.loginLimits;
- }
+ { name = "login"; ownDevices = true; allowNullPassword = true; }
];
security.setuidPrograms = [ "passwd" "chfn" "su" ];
diff --git a/modules/security/pam.nix b/modules/security/pam.nix
index 589d7a6c6ac..4e50c661460 100644
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@@ -52,7 +52,7 @@ let
# in.
allowNullPassword ? false
, # The limits, as per limits.conf(5).
- limits ? []
+ limits ? config.security.pam.loginLimits
}:
{ source = pkgs.writeText "${name}.pam"
@@ -132,13 +132,12 @@ in
];
description =
- '' Define resource limits that should apply to users or groups for the
- login service. Each item in the list should be
- an attribute set with a domain,
- type, item, and
- value attribute. The syntax and semantics of
- these attributes must be that described in the limits.conf(5) man
- page.
+ '' Define resource limits that should apply to users or groups.
+ Each item in the list should be an attribute set with a
+ domain, type,
+ item, and value
+ attribute. The syntax and semantics of these attributes
+ must be that described in the limits.conf(5) man page.
'';
};
@@ -212,7 +211,6 @@ in
setuid = true;
} ];
-
security.pam.services =
# Most of these should be moved to specific modules.
[ { name = "cups"; }