Merge pull request #186628 from ocfox/pam_faildelay

nixos/pam: add option failDelay
2022-11-07 19:54:57 +08:00 · 2022-11-07 19:54:57 +08:00 · 03e68946a0
parent 590a40e134 ab0ae8f5e1
commit 03e68946a0
1 changed files with 22 additions and 0 deletions
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -392,6 +392,24 @@ let
        '';
      };

+      failDelay = {
+        enable = mkOption {
+          type = types.bool;
+          default = false;
+          description = lib.mdDoc ''
+            If enabled, this will replace the `FAIL_DELAY` setting from `login.defs`.
+            Change the delay on failure per-application.
+            '';
+        };
+
+        delay = mkOption {
+          default = 3000000;
+          type = types.int;
+          example = 1000000;
+          description = lib.mdDoc "The delay time (in microseconds) on failure.";
+        };
+      };
+
      gnupg = {
        enable = mkOption {
          type = types.bool;
@ -531,6 +549,7 @@ let
              || cfg.enableGnomeKeyring
              || cfg.googleAuthenticator.enable
              || cfg.gnupg.enable
+              || cfg.failDelay.enable
              || cfg.duoSecurity.enable))
            (
              ''
@ -551,6 +570,9 @@ let
              optionalString cfg.gnupg.enable ''
                auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.storeOnly " store-only"}
              '' +
+              optionalString cfg.failDelay.enable ''
+                auth optional ${pkgs.pam}/lib/security/pam_faildelay.so delay=${toString cfg.failDelay.delay}
+              '' +
              optionalString cfg.googleAuthenticator.enable ''
                auth required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so no_increment_hotp
              '' +