Skip to content

Commit

Permalink
nixos/kanidm: rename options
Browse files Browse the repository at this point in the history
  • Loading branch information
PatrickDaG committed Dec 19, 2024
1 parent 4d982ce commit 1799bbc
Show file tree
Hide file tree
Showing 4 changed files with 301 additions and 214 deletions.
2 changes: 1 addition & 1 deletion nixos/doc/manual/release-notes/rl-2205.section.md
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ In addition to numerous new and upgraded packages, this release has the followin

- [K40-Whisperer](https://www.scorchworks.com/K40whisperer/k40whisperer.html), a program to control cheap Chinese laser cutters. Available as [programs.k40-whisperer.enable](#opt-programs.k40-whisperer.enable). Users must add themselves to the `k40` group to be able to access the device.

- [kanidm](https://kanidm.github.io/kanidm/stable/), an identity management server written in Rust. Available as [services.kanidm](#opt-services.kanidm.enableServer)
- [kanidm](https://kanidm.github.io/kanidm/stable/), an identity management server written in Rust. Available as [services.kanidm](#opt-services.kanidm.server.enable)

- [Maddy](https://maddy.email/), a free an open source mail server. Available as [services.maddy](#opt-services.maddy.enable).

Expand Down
10 changes: 5 additions & 5 deletions nixos/modules/security/pam.nix
Original file line number Diff line number Diff line change
Expand Up @@ -658,7 +658,7 @@ let
{ name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; settings = {
config_file = "/etc/security/pam_mysql.conf";
}; }
{ name = "kanidm"; enable = config.services.kanidm.enablePam; control = "sufficient"; modulePath = "${config.services.kanidm.package}/lib/pam_kanidm.so"; settings = {
{ name = "kanidm"; enable = config.services.kanidm.unix.enable; control = "sufficient"; modulePath = "${config.services.kanidm.package}/lib/pam_kanidm.so"; settings = {
ignore_unknown_user = true;
}; }
{ name = "sss"; enable = config.services.sssd.enable; control = if cfg.sssdStrictAccess then "[default=bad success=ok user_unknown=ignore]" else "sufficient"; modulePath = "${pkgs.sssd}/lib/security/pam_sss.so"; }
Expand Down Expand Up @@ -772,7 +772,7 @@ let
{ name = "ldap"; enable = use_ldap; control = "sufficient"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; settings = {
use_first_pass = true;
}; }
{ name = "kanidm"; enable = config.services.kanidm.enablePam; control = "sufficient"; modulePath = "${config.services.kanidm.package}/lib/pam_kanidm.so"; settings = {
{ name = "kanidm"; enable = config.services.kanidm.unix.enable; control = "sufficient"; modulePath = "${config.services.kanidm.package}/lib/pam_kanidm.so"; settings = {
ignore_unknown_user = true;
use_first_pass = true;
}; }
Expand Down Expand Up @@ -809,7 +809,7 @@ let
{ name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; settings = {
config_file = "/etc/security/pam_mysql.conf";
}; }
{ name = "kanidm"; enable = config.services.kanidm.enablePam; control = "sufficient"; modulePath = "${config.services.kanidm.package}/lib/pam_kanidm.so"; }
{ name = "kanidm"; enable = config.services.kanidm.unix.enable; control = "sufficient"; modulePath = "${config.services.kanidm.package}/lib/pam_kanidm.so"; }
{ name = "sss"; enable = config.services.sssd.enable; control = "sufficient"; modulePath = "${pkgs.sssd}/lib/security/pam_sss.so"; }
{ name = "krb5"; enable = config.security.pam.krb5.enable; control = "sufficient"; modulePath = "${pam_krb5}/lib/security/pam_krb5.so"; settings = {
use_first_pass = true;
Expand Down Expand Up @@ -863,7 +863,7 @@ let
{ name = "mysql"; enable = cfg.mysqlAuth; control = "optional"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; settings = {
config_file = "/etc/security/pam_mysql.conf";
}; }
{ name = "kanidm"; enable = config.services.kanidm.enablePam; control = "optional"; modulePath = "${config.services.kanidm.package}/lib/pam_kanidm.so"; }
{ name = "kanidm"; enable = config.services.kanidm.unix.enable; control = "optional"; modulePath = "${config.services.kanidm.package}/lib/pam_kanidm.so"; }
{ name = "sss"; enable = config.services.sssd.enable; control = "optional"; modulePath = "${pkgs.sssd}/lib/security/pam_sss.so"; }
{ name = "krb5"; enable = config.security.pam.krb5.enable; control = "optional"; modulePath = "${pam_krb5}/lib/security/pam_krb5.so"; }
{ name = "otpw"; enable = cfg.otpwAuth; control = "optional"; modulePath = "${pkgs.otpw}/lib/security/pam_otpw.so"; }
Expand Down Expand Up @@ -1604,7 +1604,7 @@ in
# Include the PAM modules in the system path mostly for the manpages.
[ package ]
++ lib.optional config.users.ldap.enable pam_ldap
++ lib.optional config.services.kanidm.enablePam config.services.kanidm.package
++ lib.optional config.services.kanidm.unix.enable config.services.kanidm.package
++ lib.optional config.services.sssd.enable pkgs.sssd
++ lib.optionals config.security.pam.krb5.enable [pam_krb5 pam_ccreds]
++ lib.optionals config.security.pam.enableOTPW [ pkgs.otpw ]
Expand Down
Loading

0 comments on commit 1799bbc

Please sign in to comment.