nixos: add optional pam_kwallet5 integration #22813
Conversation
|
@benley, thanks for your PR! By analyzing the history of the files in this pull request, we identified @edolstra, @abbradar and @markus2342 to be potential reviewers. |
| @@ -212,6 +212,15 @@ let | |||
| ''; | |||
| }; | |||
|
|
|||
| enableKwallet = mkOption { | |||
There was a problem hiding this comment.
From the name of this option, it would seem necessary to enable it to use kwallet at all, which is not true. The description does not contradict that interpretation. Please either change the name or mention this in the description.
There was a problem hiding this comment.
Done - I've kept the option name but made the description much more explicit.
nixos/modules/security/pam.nix
Outdated
| type = types.bool; | ||
| description = '' | ||
| Enable pam_kwallet to automatically unlock user KDE Wallets | ||
| upon login (if their wallet password matches their login password) |
There was a problem hiding this comment.
What happens if this is enabled, but my wallet password does not match my login password?
There was a problem hiding this comment.
Your wallet just won't be auto-unlocked, and KDE will prompt you for the wallet password when it is needed. I will make sure to test things like that prior to merging this change.
nixos/modules/security/pam.nix
Outdated
| auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth | ||
| ${optionalString config.security.pam.enableEcryptfs | ||
| "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} | ||
| ${optionalString cfg.pamMount | ||
| "auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} | ||
| ${optionalString cfg.enableKwallet | ||
| "auth optional ${pkgs.kde5.kwallet-pam}/lib/security/pam_kwallet5.so auto_start"} |
There was a problem hiding this comment.
the docs say the auth optional bit doesn't need the auto_start option: https://wiki.archlinux.org/index.php/KDE_Wallet
There was a problem hiding this comment.
Whoops, you are right. Fixing.
There was a problem hiding this comment.
Even better, it turns out that auto_start does absolutely nothing with pam_kwallet. It appears that it was accidentally copied over from the pam_gnome_keyring config at some point, and that tidbit has been repeated in many places around the net ever since.
|
This should be ready for another look now. |
Motivation for this change
https://wiki.archlinux.org/index.php/KDE_Wallet
Nice-to-have KDE wallet integration.