nixpkgs-suyu/modules/programs/shadow.nix
Jan Malakhovski b3f4040512 Radically change the way NixOS handles environment variables and make it possible not to use Bash as the default interactive shell.
This change does two things:

* "NixOSizes" environment variables generation. This allows some more
  error-checking and opens possibilities for a modular environment
  configuration. From now on the most of environment variables are
  generated directly by the nix code. Generating sh code that
  generates environment variables is left in a few places where
  nontrivial access to a local environment state is needed.
* By doing the first change this patch untangles bash from the
  environment configuration and makes it trivial to add a support for
  other non bash-compatible shells.

Now to the sad part. This change is quite large (and I'm not sure it's
possible to split it) and yet is not quite complete, it needs some
changes to nixpkgs to be perfect.
See !!! comments in modules/config/shells-environment.nix.

Main principle behind this change is "change environment generation
and nothing else". In particular, shell configuration principles stay
exactly the same as before.
2013-09-23 16:55:25 +00:00

103 lines
2.5 KiB
Nix

# Configuration for the pwdutils suite of tools: passwd, useradd, etc.
{ config, pkgs, ... }:
with pkgs.lib;
let
loginDefs =
''
DEFAULT_HOME yes
SYS_UID_MIN 100
SYS_UID_MAX 499
UID_MIN 1000
UID_MAX 29999
SYS_GID_MIN 100
SYS_GID_MAX 499
GID_MIN 1000
GID_MAX 29999
TTYGROUP tty
TTYPERM 0620
# Ensure privacy for newly created home directories.
UMASK 077
# Uncomment this to allow non-root users to change their account
#information. This should be made configurable.
#CHFN_RESTRICT frwh
'';
in
{
###### interface
options = {
users.defaultUserShell = pkgs.lib.mkOption {
description = ''
This option defines the default shell assigned to user
accounts. This must not be a store path, since the path is
used outside the store (in particular in /etc/passwd).
Rather, it should be the path of a symlink that points to the
actual shell in the Nix store.
'';
type = types.uniq types.path;
};
};
###### implementation
config = {
environment.systemPackages = [ pkgs.shadow ];
environment.etc =
[ { # /etc/login.defs: global configuration for pwdutils. You
# cannot login without it!
source = pkgs.writeText "login.defs" loginDefs;
target = "login.defs";
}
{ # /etc/default/useradd: configuration for useradd.
source = pkgs.writeText "useradd"
''
GROUP=100
HOME=/home
SHELL=${config.users.defaultUserShell}
'';
target = "default/useradd";
}
];
security.pam.services =
[ { name = "chsh"; rootOK = true; }
{ name = "chfn"; rootOK = true; }
{ name = "su"; rootOK = true; forwardXAuth = true; }
{ name = "passwd"; }
# Note: useradd, groupadd etc. aren't setuid root, so it
# doesn't really matter what the PAM config says as long as it
# lets root in.
{ name = "useradd"; rootOK = true; }
{ name = "usermod"; rootOK = true; }
{ name = "userdel"; rootOK = true; }
{ name = "groupadd"; rootOK = true; }
{ name = "groupmod"; rootOK = true; }
{ name = "groupmems"; rootOK = true; }
{ name = "groupdel"; rootOK = true; }
{ name = "login"; startSession = true; allowNullPassword = true; showMotd = true; }
];
security.setuidPrograms = [ "passwd" "chfn" "su" "newgrp" ];
};
}