nixos: reduce pam files rebuilds on updates

Before whenever environment variables changed, pam files had to be
rebuild.

This is expensive since each file needs its own sandbox set up.
This commit is contained in:
Jörg Thalheim 2021-07-28 06:28:25 +02:00
parent 3dcb36f234
commit 1645acf1d3
6 changed files with 35 additions and 37 deletions

View file

@ -65,42 +65,40 @@ in
};
config = {
environment.etc."pam/environment".text = let
suffixedVariables =
flip mapAttrs cfg.profileRelativeSessionVariables (envVar: suffixes:
flip concatMap cfg.profiles (profile:
map (suffix: "${profile}${suffix}") suffixes
)
);
system.build.pamEnvironment =
let
suffixedVariables =
flip mapAttrs cfg.profileRelativeSessionVariables (envVar: suffixes:
flip concatMap cfg.profiles (profile:
map (suffix: "${profile}${suffix}") suffixes
)
);
# We're trying to use the same syntax for PAM variables and env variables.
# That means we need to map the env variables that people might use to their
# equivalent PAM variable.
replaceEnvVars = replaceStrings ["$HOME" "$USER"] ["@{HOME}" "@{PAM_USER}"];
# We're trying to use the same syntax for PAM variables and env variables.
# That means we need to map the env variables that people might use to their
# equivalent PAM variable.
replaceEnvVars = replaceStrings ["$HOME" "$USER"] ["@{HOME}" "@{PAM_USER}"];
pamVariable = n: v:
''${n} DEFAULT="${concatStringsSep ":" (map replaceEnvVars (toList v))}"'';
pamVariable = n: v:
''${n} DEFAULT="${concatStringsSep ":" (map replaceEnvVars (toList v))}"'';
pamVariables =
concatStringsSep "\n"
(mapAttrsToList pamVariable
(zipAttrsWith (n: concatLists)
[
# Make sure security wrappers are prioritized without polluting
# shell environments with an extra entry. Sessions which depend on
# pam for its environment will otherwise have eg. broken sudo. In
# particular Gnome Shell sometimes fails to source a proper
# environment from a shell.
{ PATH = [ config.security.wrapperDir ]; }
(mapAttrs (n: toList) cfg.sessionVariables)
suffixedVariables
]));
in
pkgs.writeText "pam-environment" "${pamVariables}\n";
pamVariables =
concatStringsSep "\n"
(mapAttrsToList pamVariable
(zipAttrsWith (n: concatLists)
[
# Make sure security wrappers are prioritized without polluting
# shell environments with an extra entry. Sessions which depend on
# pam for its environment will otherwise have eg. broken sudo. In
# particular Gnome Shell sometimes fails to source a proper
# environment from a shell.
{ PATH = [ config.security.wrapperDir ]; }
(mapAttrs (n: toList) cfg.sessionVariables)
suffixedVariables
]));
in ''
${pamVariables}
'';
};
}

View file

@ -475,7 +475,7 @@ let
# Session management.
${optionalString cfg.setEnvironment ''
session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0
session required pam_env.so conffile=/etc/pam/environment readenv=0
''}
session required pam_unix.so
${optionalString cfg.setLoginUid

View file

@ -82,7 +82,7 @@ in {
auth required pam_unix.so nullok
account required pam_unix.so
session required pam_unix.so
session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0
session required pam_env.so conffile=/etc/pam/environment readenv=0
session required ${pkgs.systemd}/lib/security/pam_systemd.so
'';

View file

@ -309,7 +309,7 @@ in
password required pam_deny.so
session required pam_succeed_if.so audit quiet_success user = gdm
session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0
session required pam_env.so conffile=/etc/pam/environment readenv=0
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
session optional pam_keyinit.so force revoke
session optional pam_permit.so

View file

@ -284,7 +284,7 @@ in
password required pam_deny.so
session required pam_succeed_if.so audit quiet_success user = lightdm
session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0
session required pam_env.so conffile=/etc/pam/environment readenv=0
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
session optional pam_keyinit.so force revoke
session optional pam_permit.so

View file

@ -229,7 +229,7 @@ in
password required pam_deny.so
session required pam_succeed_if.so audit quiet_success user = sddm
session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0
session required pam_env.so conffile=/etc/pam/environment readenv=0
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
session optional pam_keyinit.so force revoke
session optional pam_permit.so