Merge pull request #240960 from majiru/add-tlsclient

tlsclient: init at 1.5, pam_dp9ik: init at 1.5
2023-07-09 22:36:57 +02:00 · 2023-07-09 22:36:57 +02:00 · 0ccdf00a66
commit 0ccdf00a66
parent 599b8acc19 5f97e78c64
4 changed files with 103 additions and 0 deletions
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -548,6 +548,9 @@ let
          (let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth ''
            auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.challengeResponsePath != null) "chalresp_path=${yubi.challengeResponsePath}"} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}
          '') +
+          (let dp9ik = config.security.pam.dp9ik; in optionalString dp9ik.enable ''
+            auth ${dp9ik.control} ${pkgs.pam_dp9ik}/lib/security/pam_p9.so ${dp9ik.authserver}
+          '') +
          optionalString cfg.fprintAuth ''
            auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so
          '' +
@ -913,6 +916,32 @@ in

    security.pam.enableOTPW = mkEnableOption (lib.mdDoc "the OTPW (one-time password) PAM module");

+    security.pam.dp9ik = {
+      enable = mkEnableOption (
+        lib.mdDoc ''
+          the dp9ik pam module provided by tlsclient.
+
+          If set, users can be authenticated against the 9front
+          authentication server given in {option}`security.pam.dp9ik.authserver`.
+        ''
+      );
+      control = mkOption {
+        default = "sufficient";
+        type = types.str;
+        description = lib.mdDoc ''
+          This option sets the pam "control" used for this module.
+        '';
+      };
+      authserver = mkOption {
+        default = null;
+        type = with types; nullOr string;
+        description = lib.mdDoc ''
+          This controls the hostname for the 9front authentication server
+          that users will be authenticated against.
+        '';
+      };
+    };
+
    security.pam.krb5 = {
      enable = mkOption {
        default = config.krb5.enable;
--- a/pkgs/os-specific/linux/pam_dp9ik/default.nix
+++ b/pkgs/os-specific/linux/pam_dp9ik/default.nix
@ -0,0 +1,30 @@
+{ lib
+, tlsclient
+, stdenv
+, pkg-config
+, pam
+}:
+
+stdenv.mkDerivation {
+  inherit (tlsclient) src version enableParallelBuilding;
+
+  pname = "pam_dp9ik";
+
+  strictDeps = true;
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ pam ];
+
+  makeFlags = [ "pam_p9.so" ];
+  installPhase = ''
+    install -Dm755 -t $out/lib/security/ pam_p9.so
+  '';
+
+  meta = with lib; {
+    description = "dp9ik pam module";
+    longDescription = "Uses tlsclient to authenticate users against a 9front auth server";
+    homepage = "https://git.sr.ht/~moody/tlsclient";
+    license = licenses.mit;
+    maintainers = with maintainers; [ moody ];
+    platforms = platforms.linux;
+  };
+}
--- a/pkgs/tools/admin/tlsclient/default.nix
+++ b/pkgs/tools/admin/tlsclient/default.nix
@ -0,0 +1,40 @@
+{ lib
+, stdenv
+, fetchFromSourcehut
+, pkg-config
+, openssl
+, installShellFiles
+}:
+
+stdenv.mkDerivation rec {
+  pname = "tlsclient";
+  version = "1.5";
+
+  src = fetchFromSourcehut {
+    owner = "~moody";
+    repo = "tlsclient";
+    rev = "v${version}";
+    hash = "sha256-9LKx9x5Kx7Mo4EL/b89Mdsdu8NqVYxohn98XnF+IWXs=";
+  };
+
+  strictDeps = true;
+  enableParallelBuilding = true;
+  nativeBuildInputs = [ pkg-config installShellFiles ];
+  buildInputs = [ openssl ];
+
+  makeFlags = [ "tlsclient" ];
+  installPhase = ''
+    install -Dm755 -t $out/bin tlsclient
+    installManPage tlsclient.1
+  '';
+
+  meta = with lib; {
+    description = "tlsclient command line utility";
+    longDescription = "unix port of 9front's tlsclient(1) and rcpu(1)";
+    homepage = "https://git.sr.ht/~moody/tlsclient";
+    license = licenses.mit;
+    maintainers = with maintainers; [ moody ];
+    mainProgram = "tlsclient";
+    platforms = platforms.all;
+  };
+}
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -13345,6 +13345,8 @@ with pkgs;

  tldr-hs = haskellPackages.tldr;

+  tlsclient = callPackage ../tools/admin/tlsclient { };
+
  tlsx = callPackage ../tools/security/tlsx { };

  tmate = callPackage ../tools/misc/tmate { };
@ -27955,6 +27957,8 @@ with pkgs;

  pam_ccreds = callPackage ../os-specific/linux/pam_ccreds { };

+  pam_dp9ik = callPackage ../os-specific/linux/pam_dp9ik { };
+
  pam_gnupg = callPackage ../os-specific/linux/pam_gnupg { };

  pam_krb5 = callPackage ../os-specific/linux/pam_krb5 { };