diff options
author | gnidorah <gnidorah@users.noreply.github.com> | 2017-10-22 15:42:00 +0300 |
---|---|---|
committer | gnidorah <gnidorah@users.noreply.github.com> | 2018-01-01 21:58:37 +0300 |
commit | f15fad898b3076eb758bad7e437ecae9dae7752f (patch) | |
tree | 1de7594ad430adf73b8ac20ac97b7c6a1881b946 /nixos/modules/security | |
parent | f59a0f7f1a6d968e0e05bd7d3188f32f17eb226f (diff) | |
download | nixlib-f15fad898b3076eb758bad7e437ecae9dae7752f.tar nixlib-f15fad898b3076eb758bad7e437ecae9dae7752f.tar.gz nixlib-f15fad898b3076eb758bad7e437ecae9dae7752f.tar.bz2 nixlib-f15fad898b3076eb758bad7e437ecae9dae7752f.tar.lz nixlib-f15fad898b3076eb758bad7e437ecae9dae7752f.tar.xz nixlib-f15fad898b3076eb758bad7e437ecae9dae7752f.tar.zst nixlib-f15fad898b3076eb758bad7e437ecae9dae7752f.zip |
pam: add optional pam_gnome_keyring integration
Diffstat (limited to 'nixos/modules/security')
-rw-r--r-- | nixos/modules/security/pam.nix | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 8d658a20a1fe..3fff9e78aa19 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -223,6 +223,17 @@ let ''; }; + enableGnomeKeyring = mkOption { + default = false; + type = types.bool; + description = '' + If enabled, pam_gnome_keyring will attempt to automatically unlock the + user's default Gnome keyring upon login. If the user login password does + not match their keyring password, Gnome Keyring will prompt separately + after login. + ''; + }; + text = mkOption { type = types.nullOr types.lines; description = "Contents of the PAM service file."; @@ -273,7 +284,7 @@ let # prompts the user for password so we run it once with 'required' at an # earlier point and it will run again with 'sufficient' further down. # We use try_first_pass the second time to avoid prompting password twice - (optionalString (cfg.unixAuth && (config.security.pam.enableEcryptfs || cfg.pamMount || cfg.enableKwallet)) '' + (optionalString (cfg.unixAuth && (config.security.pam.enableEcryptfs || cfg.pamMount || cfg.enableKwallet || cfg.enableGnomeKeyring)) '' auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth ${optionalString config.security.pam.enableEcryptfs "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} @@ -282,6 +293,8 @@ let ${optionalString cfg.enableKwallet ("auth optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" + " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")} + ${optionalString cfg.enableGnomeKeyring + ("auth optional ${pkgs.gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so")} '') + '' ${optionalString cfg.unixAuth "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"} @@ -351,6 +364,8 @@ let ${optionalString (cfg.enableKwallet) ("session optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" + " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")} + ${optionalString (cfg.enableGnomeKeyring) + "session optional ${pkgs.gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start"} ${optionalString (config.virtualisation.lxc.lxcfs.enable) "session optional ${pkgs.lxcfs}/lib/security/pam_cgfs.so -c freezer,memory,name=systemd,unified,cpuset"} ''); |