diff options
Diffstat (limited to 'nixpkgs/nixos/modules/security/pam_mount.nix')
-rw-r--r-- | nixpkgs/nixos/modules/security/pam_mount.nix | 93 |
1 files changed, 81 insertions, 12 deletions
diff --git a/nixpkgs/nixos/modules/security/pam_mount.nix b/nixpkgs/nixos/modules/security/pam_mount.nix index 462b7f89e2f4..11cc13a8cbeb 100644 --- a/nixpkgs/nixos/modules/security/pam_mount.nix +++ b/nixpkgs/nixos/modules/security/pam_mount.nix @@ -5,6 +5,14 @@ with lib; let cfg = config.security.pam.mount; + oflRequired = cfg.logoutHup || cfg.logoutTerm || cfg.logoutKill; + + fake_ofl = pkgs.writeShellScriptBin "fake_ofl" '' + SIGNAL=$1 + MNTPT=$2 + ${pkgs.lsof}/bin/lsof | ${pkgs.gnugrep}/bin/grep $MNTPT | ${pkgs.gawk}/bin/awk '{print $2}' | ${pkgs.findutils}/bin/xargs ${pkgs.util-linux}/bin/kill -$SIGNAL + ''; + anyPamMount = any (attrByPath ["pamMount"] false) (attrValues config.security.pam.services); in @@ -15,7 +23,7 @@ in enable = mkOption { type = types.bool; default = false; - description = '' + description = lib.mdDoc '' Enable PAM mount system to mount fileystems on user login. ''; }; @@ -23,10 +31,9 @@ in extraVolumes = mkOption { type = types.listOf types.str; default = []; - description = '' + description = lib.mdDoc '' List of volume definitions for pam_mount. - For more information, visit <link - xlink:href="http://pam-mount.sourceforge.net/pam_mount.conf.5.html" />. + For more information, visit <http://pam-mount.sourceforge.net/pam_mount.conf.5.html>. ''; }; @@ -34,7 +41,7 @@ in type = types.listOf types.package; default = []; example = literalExpression "[ pkgs.bindfs ]"; - description = '' + description = lib.mdDoc '' Additional programs to include in the search path of pam_mount. Useful for example if you want to use some FUSE filesystems like bindfs. ''; @@ -46,11 +53,74 @@ in example = literalExpression '' [ "nodev" "nosuid" "force-user=%(USER)" "gid=%(USERGID)" "perms=0700" "chmod-deny" "chown-deny" "chgrp-deny" ] ''; - description = '' + description = lib.mdDoc '' Global mount options that apply to every FUSE volume. You can define volume-specific options in the volume definitions. ''; }; + + debugLevel = mkOption { + type = types.int; + default = 0; + example = 1; + description = lib.mdDoc '' + Sets the Debug-Level. 0 disables debugging, 1 enables pam_mount tracing, + and 2 additionally enables tracing in mount.crypt. The default is 0. + For more information, visit <http://pam-mount.sourceforge.net/pam_mount.conf.5.html>. + ''; + }; + + logoutWait = mkOption { + type = types.int; + default = 0; + description = lib.mdDoc '' + Amount of microseconds to wait until killing remaining processes after + final logout. + For more information, visit <http://pam-mount.sourceforge.net/pam_mount.conf.5.html>. + ''; + }; + + logoutHup = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Kill remaining processes after logout by sending a SIGHUP. + ''; + }; + + logoutTerm = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Kill remaining processes after logout by sending a SIGTERM. + ''; + }; + + logoutKill = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Kill remaining processes after logout by sending a SIGKILL. + ''; + }; + + createMountPoints = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + Create mountpoints for volumes if they do not exist. + ''; + }; + + removeCreatedMountPoints = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + Remove mountpoints created by pam_mount after logout. This + only affects mountpoints that have been created by pam_mount + in the same session. + ''; + }; }; }; @@ -77,21 +147,20 @@ in <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <!-- auto generated from Nixos: modules/config/users-groups.nix --> <pam_mount> - <debug enable="0" /> - + <debug enable="${toString cfg.debugLevel}" /> <!-- if activated, requires ofl from hxtools to be present --> - <logout wait="0" hup="no" term="no" kill="no" /> + <logout wait="${toString cfg.logoutWait}" hup="${if cfg.logoutHup then "yes" else "no"}" term="${if cfg.logoutTerm then "yes" else "no"}" kill="${if cfg.logoutKill then "yes" else "no"}" /> <!-- set PATH variable for pam_mount module --> <path>${makeBinPath ([ pkgs.util-linux ] ++ cfg.additionalSearchPaths)}</path> <!-- create mount point if not present --> - <mkmountpoint enable="1" remove="true" /> - + <mkmountpoint enable="${if cfg.createMountPoints then "1" else "0"}" remove="${if cfg.removeCreatedMountPoints then "true" else "false"}" /> <!-- specify the binaries to be called --> <fusemount>${pkgs.fuse}/bin/mount.fuse %(VOLUME) %(MNTPT) -o ${concatStringsSep "," (cfg.fuseMountOptions ++ [ "%(OPTIONS)" ])}</fusemount> + <fuseumount>${pkgs.fuse}/bin/fusermount -u %(MNTPT)</fuseumount> <cryptmount>${pkgs.pam_mount}/bin/mount.crypt %(VOLUME) %(MNTPT)</cryptmount> <cryptumount>${pkgs.pam_mount}/bin/umount.crypt %(MNTPT)</cryptumount> <pmvarrun>${pkgs.pam_mount}/bin/pmvarrun -u %(USER) -o %(OPERATION)</pmvarrun> - + ${optionalString oflRequired "<ofl>${fake_ofl}/bin/fake_ofl %(SIGNAL) %(MNTPT)</ofl>"} ${concatStrings (map userVolumeEntry (attrValues extraUserVolumes))} ${concatStringsSep "\n" cfg.extraVolumes} </pam_mount> |