diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2024-02-04 18:01:14 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-02-04 18:01:14 +0000 |
commit | 145a9cb679a92f784805c37173d8c08d4f129489 (patch) | |
tree | f9e6287591e3dd8876c1162623265b760604a24b /nixos | |
parent | 630c078fd548064eaa7312bc1345e4c752f6f11b (diff) | |
parent | 2ca3e867682dbf94b001d2c4c38c1fe8b79e47ce (diff) | |
download | nixlib-145a9cb679a92f784805c37173d8c08d4f129489.tar nixlib-145a9cb679a92f784805c37173d8c08d4f129489.tar.gz nixlib-145a9cb679a92f784805c37173d8c08d4f129489.tar.bz2 nixlib-145a9cb679a92f784805c37173d8c08d4f129489.tar.lz nixlib-145a9cb679a92f784805c37173d8c08d4f129489.tar.xz nixlib-145a9cb679a92f784805c37173d8c08d4f129489.tar.zst nixlib-145a9cb679a92f784805c37173d8c08d4f129489.zip |
Merge master into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/security/pam.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/security/intune.nix | 32 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixos/tests/gnome-extensions.nix | 2 | ||||
-rw-r--r-- | nixos/tests/intune.nix | 56 |
6 files changed, 94 insertions, 1 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 37f822721f48..e97fb45e769c 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1202,6 +1202,7 @@ ./services/security/hologram-agent.nix ./services/security/hologram-server.nix ./services/security/infnoise.nix + ./services/security/intune.nix ./services/security/jitterentropy-rngd.nix ./services/security/kanidm.nix ./services/security/munge.nix diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index ffbb558549f6..f809848fd428 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -700,6 +700,7 @@ let || cfg.pamMount || cfg.enableKwallet || cfg.enableGnomeKeyring + || config.services.intune.enable || cfg.googleAuthenticator.enable || cfg.gnupg.enable || cfg.failDelay.enable @@ -726,6 +727,7 @@ let kwalletd = "${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5"; }; } { name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; modulePath = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"; } + { name = "intune"; enable = config.services.intune.enable; control = "optional"; modulePath = "${pkgs.intune-portal}/lib/security/pam_intune.so"; } { name = "gnupg"; enable = cfg.gnupg.enable; control = "optional"; modulePath = "${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"; settings = { store-only = cfg.gnupg.storeOnly; }; } @@ -867,6 +869,7 @@ let { name = "gnupg"; enable = cfg.gnupg.enable; control = "optional"; modulePath = "${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"; settings = { no-autostart = cfg.gnupg.noAutostart; }; } + { name = "intune"; enable = config.services.intune.enable; control = "optional"; modulePath = "${pkgs.intune-portal}/lib/security/pam_intune.so"; } ]; }; }; diff --git a/nixos/modules/services/security/intune.nix b/nixos/modules/services/security/intune.nix new file mode 100644 index 000000000000..93cecaca5f43 --- /dev/null +++ b/nixos/modules/services/security/intune.nix @@ -0,0 +1,32 @@ +{ config +, pkgs +, lib +, ... +}: +let + cfg = config.services.intune; +in +{ + options.services.intune = { + enable = lib.mkEnableOption (lib.mdDoc "Microsoft Intune"); + }; + + + config = lib.mkIf cfg.enable { + users.users.microsoft-identity-broker = { + group = "microsoft-identity-broker"; + isSystemUser = true; + }; + + users.groups.microsoft-identity-broker = { }; + environment.systemPackages = [ pkgs.microsoft-identity-broker pkgs.intune-portal ]; + systemd.packages = [ pkgs.microsoft-identity-broker pkgs.intune-portal ]; + + systemd.tmpfiles.packages = [ pkgs.intune-portal ]; + services.dbus.packages = [ pkgs.microsoft-identity-broker ]; + }; + + meta = { + maintainers = with lib.maintainers; [ rhysmdnz ]; + }; +} diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index c943179051cc..66c29092cb6d 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -425,6 +425,7 @@ in { inspircd = handleTest ./inspircd.nix {}; installer = handleTest ./installer.nix {}; installer-systemd-stage-1 = handleTest ./installer-systemd-stage-1.nix {}; + intune = handleTest ./intune.nix {}; invoiceplane = handleTest ./invoiceplane.nix {}; iodine = handleTest ./iodine.nix {}; ipv6 = handleTest ./ipv6.nix {}; diff --git a/nixos/tests/gnome-extensions.nix b/nixos/tests/gnome-extensions.nix index 2faff9a4a80d..a9bb5e3766b7 100644 --- a/nixos/tests/gnome-extensions.nix +++ b/nixos/tests/gnome-extensions.nix @@ -86,7 +86,7 @@ import ./make-test-python.nix ( "ddterm" "emoji-selector" "gsconnect" - "system-monitor" + "system-monitor-next" "desktop-icons-ng-ding" "workspace-indicator" "vitals" diff --git a/nixos/tests/intune.nix b/nixos/tests/intune.nix new file mode 100644 index 000000000000..41bf638d7661 --- /dev/null +++ b/nixos/tests/intune.nix @@ -0,0 +1,56 @@ +import ./make-test-python.nix ({ pkgs, ...} : { + name = "intune"; + meta = { + maintainers = with pkgs.lib.maintainers; [ rhysmdnz ]; + }; + enableOCR = true; + + nodes.machine = + { nodes, ... }: + let user = nodes.machine.users.users.alice; + in { + services.intune.enable=true; + services.gnome.gnome-keyring.enable = true; + imports = [ ./common/user-account.nix ./common/x11.nix ]; + test-support.displayManager.auto.user = user.name; + environment = { + variables.DBUS_SESSION_BUS_ADDRESS = "unix:path=/run/user/${builtins.toString user.uid}/bus"; + }; + }; + nodes.pam = + { nodes, ... }: + let user = nodes.machine.users.users.alice; + in { + services.intune.enable=true; + imports = [ ./common/user-account.nix ]; + }; + + testScript = '' + start_all() + + # Check System Daemons successfully start + machine.succeed("systemctl start microsoft-identity-device-broker.service") + machine.succeed("systemctl start intune-daemon.service") + + # Check User Daemons and intune-portal execurtable works + # Going any further than starting it would require internet access and a microsoft account + machine.wait_for_x() + # TODO: This needs an unlocked user keychain before it will work + #machine.succeed("su - alice -c 'systemctl start --user microsoft-identity-broker.service'") + machine.succeed("su - alice -c 'systemctl start --user intune-agent.service'") + machine.succeed("su - alice -c intune-portal >&2 &") + machine.wait_for_text("Intune Agent") + + # Check logging in creates password file + def login_as_alice(): + pam.wait_until_tty_matches("1", "login: ") + pam.send_chars("alice\n") + pam.wait_until_tty_matches("1", "Password: ") + pam.send_chars("foobar\n") + pam.wait_until_tty_matches("1", "alice\@pam") + + pam.wait_for_unit("multi-user.target") + login_as_alice() + pam.wait_for_file("/run/intune/1000/pwquality") + ''; +}) |