nixos/pam: add serviceDefaults

NixOS · Sep 7, 2024 · 43101d9 · 43101d9
1 parent b6cf41a
commit 43101d9
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 8 deletions.
diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -25,6 +25,9 @@
 - `hardware.display` is a new module implementing workarounds for misbehaving monitors
   through setting up custom EDID files and forcing kernel/framebuffer modes.
 
+- `security.pam.serviceDefaults` is a new way to configure the default PAM modules for all services, providing a
+  simple way to only use a pam module for one specific service.
+
 - A new display-manager `services.displayManager.ly` was added.
   It is a tui based replacement of sddm and lightdm for window manager users.
   Users can use it by `services.displayManager.ly.enable` and config it by

diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
@@ -98,13 +98,9 @@ let
   package = config.security.pam.package;
   parentConfig = config;
 
-  pamOpts = { config, name, ... }: let cfg = config; in let config = parentConfig; in {
-
-    imports = [
-      (lib.mkRenamedOptionModule [ "enableKwallet" ] [ "kwallet" "enable" ])
-    ];
-
-    options = {
+  pamOpts = default: {config, name, ...}: let cfg = config; in let
+    config = parentConfig;
+    configDefaults = {
 
       name = lib.mkOption {
         example = "sshd";
@@ -585,6 +581,24 @@ let
       };
 
     };
+  in {
+    imports = [
+      (lib.mkRenamedOptionModule [ "enableKwallet" ] [ "kwallet" "enable" ])
+    ];
+
+    options =
+      if default
+      then configDefaults
+      else lib.mapAttrsRecursiveCond
+        (as: !(lib.isOption as))
+        (path: value:
+          if lib.isOption value && builtins.hasAttr "default" value
+          then value // {
+            default = lib.attrByPath path (throw "Service default does not exist") config.security.pam.serviceDefaults;
+            defaultText = lib.literalExpression "config.security.pam.serviceDefaults.${lib.concatStringsSep "." path}";
+          }
+          else value)
+        configDefaults;
 
     # The resulting /etc/pam.d/* file contents are verified in
     # nixos/tests/pam/pam-file-contents.nix. Please update tests there when
@@ -1008,9 +1022,17 @@ in
      '';
     };
 
+    security.pam.serviceDefaults = lib.mkOption {
+      default = {};
+      type = lib.types.submodule (pamOpts true);
+      description = ''
+        This option defines the default PAM service configuration.
+      '';
+    };
+
     security.pam.services = lib.mkOption {
       default = {};
-      type = with lib.types; attrsOf (submodule pamOpts);
+      type = with lib.types; attrsOf (submodule (pamOpts false));
       description = ''
           This option defines the PAM services.  A service typically
           corresponds to a program that uses PAM,