nixos: security.pam: Rename enableU2F and add opts #40455
Conversation
Renamed security.pam.enableU2F to security.pam.u2f.enable Added security.pam.u2f.options
|
Have you considered using type "listOf str"? (It allows merging multiple definitions.) |
|
Merging is something I'd be reluctant to support because PAM is a rather sensitive part of the system and if you override your own options it's hard to tell what will happen and getting an error seems like a good thing to me. I'm open to feedback on this, of course. Ideally every PAM module would take a set of options instead, but that would be a pretty significant rework and something I would want to get feedback on first. |
| @@ -250,6 +250,9 @@ with lib; | |||
| (mkRenamedOptionModule [ "programs" "info" "enable" ] [ "documentation" "info" "enable" ]) | |||
| (mkRenamedOptionModule [ "programs" "man" "enable" ] [ "documentation" "man" "enable" ]) | |||
|
|
|||
| # PAM | |||
| (mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ]) | |||
|
|
|||
There was a problem hiding this comment.
Isn't this missing the u2fAuth -> u2f.enable change?
There was a problem hiding this comment.
That's defined on every (freeform) service. I don't believe the rename module supports a usecase where something like security.pam.services.<name?>.u2fAuth is renamed.
There was a problem hiding this comment.
Ah right, it won't work here probably, but maybe it'll work by adding an imports = [(mkRenamed ...)] at line 12 in pam.nix
|
Ping? |
|
closing this PR in favor of #54756. |
Renamed security.pam.enableU2F to security.pam.u2f.enable
Added security.pam.u2f.options
Motivation for this change
The old setup makes it impossible to provide options to the U2F PAM module, even though these options provide a lot of extra possibilities in using the module (to hardcode U2F keys in /etc/, for example).
Things done
build-use-sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)