nixos/pam: mount encrypted home earlier

This patch was done by curro: The generated /etc/pam.d/* service files invoke the pam_systemd.so session module before pam_mount.so, if both are enabled (e.g. via security.pam.services.foo.startSession and security.pam.services.foo.pamMount respectively). This doesn't work in the most common scenario where the user's home directory is stored in a pam-mounted encrypted volume (because systemd will fail to access the user's systemd configuration).
NixOS · Jun 4, 2020 · 66e040e · 66e040e
1 parent 467ce5a
commit 66e040e
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
@@ -436,6 +436,8 @@ let
               "session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"}
           ${optionalString config.security.pam.enableEcryptfs
               "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
+          ${optionalString cfg.pamMount
+              "session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
           ${optionalString use_ldap
               "session optional ${pam_ldap}/lib/security/pam_ldap.so"}
           ${optionalString config.services.sssd.enable
@@ -452,8 +454,6 @@ let
               "session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}"}
           ${optionalString (cfg.showMotd && config.users.motd != null)
               "session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"}
-          ${optionalString cfg.pamMount
-              "session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
           ${optionalString (cfg.enableAppArmor && config.security.apparmor.enable)
               "session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"}
           ${optionalString (cfg.enableKwallet)