nixos/pam: add option failDelay

Co-authored-by: Bobby Rong <rjl931189261@126.com>
This commit is contained in:
ocfox 2022-11-07 19:16:35 +08:00
parent 1c64f29ee9
commit ab0ae8f5e1
No known key found for this signature in database
GPG key ID: 8C2212388306143C

View file

@ -383,6 +383,24 @@ let
'';
};
failDelay = {
enable = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
If enabled, this will replace the `FAIL_DELAY` setting from `login.defs`.
Change the delay on failure per-application.
'';
};
delay = mkOption {
default = 3000000;
type = types.int;
example = 1000000;
description = lib.mdDoc "The delay time (in microseconds) on failure.";
};
};
gnupg = {
enable = mkOption {
type = types.bool;
@ -513,6 +531,7 @@ let
|| cfg.enableGnomeKeyring
|| cfg.googleAuthenticator.enable
|| cfg.gnupg.enable
|| cfg.failDelay.enable
|| cfg.duoSecurity.enable))
(
''
@ -533,6 +552,9 @@ let
optionalString cfg.gnupg.enable ''
auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.storeOnly " store-only"}
'' +
optionalString cfg.failDelay.enable ''
auth optional ${pkgs.pam}/lib/security/pam_faildelay.so delay=${toString cfg.failDelay.delay}
'' +
optionalString cfg.googleAuthenticator.enable ''
auth required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so no_increment_hotp
'' +