diff options
Diffstat (limited to 'nixos/modules/security/duosec.nix')
-rw-r--r-- | nixos/modules/security/duosec.nix | 44 |
1 files changed, 28 insertions, 16 deletions
diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index 997328ad9e6a..c686a6861d0f 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -12,7 +12,7 @@ let ikey=${cfg.ikey} skey=${cfg.skey} host=${cfg.host} - ${optionalString (cfg.group != "") ("group="+cfg.group)} + ${optionalString (cfg.groups != "") ("groups="+cfg.groups)} failmode=${cfg.failmode} pushinfo=${boolToStr cfg.pushinfo} autopush=${boolToStr cfg.autopush} @@ -25,21 +25,27 @@ let accept_env_factor=${boolToStr cfg.acceptEnvFactor} ''; - loginCfgFile = optional cfg.ssh.enable - { source = pkgs.writeText "login_duo.conf" configFileLogin; - mode = "0600"; - user = "sshd"; - target = "duo/login_duo.conf"; - }; + loginCfgFile = optionalAttrs cfg.ssh.enable { + "duo/login_duo.conf" = + { source = pkgs.writeText "login_duo.conf" configFileLogin; + mode = "0600"; + user = "sshd"; + }; + }; - pamCfgFile = optional cfg.pam.enable - { source = pkgs.writeText "pam_duo.conf" configFilePam; - mode = "0600"; - user = "sshd"; - target = "duo/pam_duo.conf"; - }; + pamCfgFile = optional cfg.pam.enable { + "duo/pam_duo.conf" = + { source = pkgs.writeText "pam_duo.conf" configFilePam; + mode = "0600"; + user = "sshd"; + }; + }; in { + imports = [ + (mkRenamedOptionModule [ "security" "duosec" "group" ] [ "security" "duosec" "groups" ]) + ]; + options = { security.duosec = { ssh.enable = mkOption { @@ -69,10 +75,16 @@ in description = "Duo API hostname."; }; - group = mkOption { + groups = mkOption { type = types.str; default = ""; - description = "Use Duo authentication for users only in this group."; + example = "users,!wheel,!*admin guests"; + description = '' + If specified, Duo authentication is required only for users + whose primary group or supplementary group list matches one + of the space-separated pattern lists. Refer to + <link xlink:href="https://duo.com/docs/duounix"/> for details. + ''; }; failmode = mkOption { @@ -186,7 +198,7 @@ in environment.systemPackages = [ pkgs.duo-unix ]; security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo"; - environment.etc = loginCfgFile ++ pamCfgFile; + environment.etc = loginCfgFile // pamCfgFile; /* If PAM *and* SSH are enabled, then don't do anything special. If PAM isn't used, set the default SSH-only options. */ |