diff --git a/nixos/modules/services/desktops/gnome3/gnome-keyring.nix b/nixos/modules/services/desktops/gnome3/gnome-keyring.nix index 5ea4350be5b4..4c350d8bb1c6 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-keyring.nix +++ b/nixos/modules/services/desktops/gnome3/gnome-keyring.nix @@ -35,6 +35,8 @@ with lib; services.dbus.packages = [ pkgs.gnome3.gnome-keyring pkgs.gcr ]; + security.pam.services.login.enableGnomeKeyring = true; + }; } diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index 226fee7491c1..3edf7c8d9cab 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -208,76 +208,25 @@ in session optional pam_permit.so ''; - gdm.text = '' - auth requisite pam_nologin.so - auth required pam_env.so envfile=${config.system.build.pamEnvironment} - - auth required pam_succeed_if.so uid >= 1000 quiet - auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so - auth ${if config.security.pam.enableEcryptfs then "required" else "sufficient"} pam_unix.so nullok likeauth - ${optionalString config.security.pam.enableEcryptfs - "auth required ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} - - ${optionalString (! config.security.pam.enableEcryptfs) - "auth required pam_deny.so"} - - account sufficient pam_unix.so - - password requisite pam_unix.so nullok sha512 - ${optionalString config.security.pam.enableEcryptfs - "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} - - session required pam_env.so envfile=${config.system.build.pamEnvironment} - session required pam_unix.so - ${optionalString config.security.pam.enableEcryptfs - "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} - session required pam_loginuid.so - session optional ${pkgs.systemd}/lib/security/pam_systemd.so - session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start - ''; - gdm-password.text = '' - auth requisite pam_nologin.so - auth required pam_env.so envfile=${config.system.build.pamEnvironment} - - auth required pam_succeed_if.so uid >= 1000 quiet - auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so - auth ${if config.security.pam.enableEcryptfs then "required" else "sufficient"} pam_unix.so nullok likeauth - ${optionalString config.security.pam.enableEcryptfs - "auth required ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} - ${optionalString (! config.security.pam.enableEcryptfs) - "auth required pam_deny.so"} - - account sufficient pam_unix.so - - password requisite pam_unix.so nullok sha512 - ${optionalString config.security.pam.enableEcryptfs - "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} - - session required pam_env.so envfile=${config.system.build.pamEnvironment} - session required pam_unix.so - ${optionalString config.security.pam.enableEcryptfs - "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} - session required pam_loginuid.so - session optional ${pkgs.systemd}/lib/security/pam_systemd.so - session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start + auth substack login + account include login + password substack login + session include login ''; gdm-autologin.text = '' - auth requisite pam_nologin.so + auth requisite pam_nologin.so - auth required pam_succeed_if.so uid >= 1000 quiet - auth required pam_permit.so + auth required pam_succeed_if.so uid >= 1000 quiet + auth required pam_permit.so - account sufficient pam_unix.so + account sufficient pam_unix.so - password requisite pam_unix.so nullok sha512 + password requisite pam_unix.so nullok sha512 - session optional pam_keyinit.so revoke - session required pam_env.so envfile=${config.system.build.pamEnvironment} - session required pam_unix.so - session required pam_loginuid.so - session optional ${pkgs.systemd}/lib/security/pam_systemd.so + session optional pam_keyinit.so revoke + session include login ''; };