Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/pam_mount: add pamMount attribute to users #100554

Merged
merged 1 commit into from Oct 20, 2020
Merged

nixos/pam_mount: add pamMount attribute to users #100554

merged 1 commit into from Oct 20, 2020

Conversation

dnr
Copy link
Contributor

@dnr dnr commented Oct 15, 2020

This attribute is a generalized version of cryptHomeLuks for creating an
entry in /etc/security/pam_mount.conf.xml. It lets the configuration
control all the attributes of the entry, instead of just the
path. The default path remains the value of cryptHomeLuks, for
compatibility.

Motivation for this change

I'd like to configure pam_mount with more control than the existing cryptHomeLuks attribute allows, specifically adding options.
pam_mount isn't specific to luks or block devices, and it's easy to expose basically all of its features by allowing any attributes here.

For example, my local user now looks like:

  users.users.dnr = {
    ...
    pamMount = {
      path = "/dev/disk/by-uuid/42be38bf-a911-4940-b9ab-e0f640cae689";
      options = "crypto_name=home,noatime,compress-force=zstd";
    };
  };
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@dnr
nixos/pam_mount: add pamMount attribute to users
49a749c 
This attribute is a generalized version of cryptHomeLuks for creating an
entry in /etc/security/pam_mount.conf.xml. It lets the configuration
control all the attributes of the <volume> entry, instead of just the
path. The default path remains the value of cryptHomeLuks, for
compatibility.
@aanderse
Copy link
Member

ping @Kloenk

@Kloenk
Copy link
Member

Kloenk commented Oct 15, 2020

Looks reasonable, but I don't know much about PAM. so not sure.

@dnr
Copy link
Contributor Author

dnr commented Oct 15, 2020

FYI, there's no real change here at the PAM level, and the PAM module this affects is not part of the standard set. This module (and the changes to PAM config files themselves) is enabled under exactly the same conditions as before (i.e. security.pam.mount.enable = true). It's just a more flexible way of passing parameters to it. But feel free to nitpick, this is my first change to NixOS.

I was wondering about making that more implicit: for example, automatically turning on security.pam.mount.enable when any user has a pamMount or cryptHomeLuks attribute. Is that the sort of thing that is considered a good idea in NixOS or is better to be explicit?

@Kloenk
Copy link
Member

Kloenk commented Oct 15, 2020

I would prefer it explicit

@Mic92 Mic92 merged commit 1a9e02d into NixOS:master Oct 20, 2020
@dnr dnr deleted the feature/pamMount branch June 19, 2022 20:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flokli flokli Awaiting requested review from flokli

@Mic92 Mic92 Awaiting requested review from Mic92

@arianvp arianvp Awaiting requested review from arianvp

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10 10.rebuild-linux: 1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@dnr @aanderse @Kloenk @Mic92