diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index 8ed7a721a3ef..0944b36c6d19 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -295,9 +295,14 @@ let
};
limits = mkOption {
+ default = [];
+ type = limitsType;
description = ''
Attribute set describing resource limits. Defaults to the
value of .
+ The meaning of the values is explained in
+ limits.conf5
+ .
'';
};
@@ -648,6 +653,51 @@ let
"${domain} ${type} ${item} ${toString value}\n")
limits);
+ limitsType = with lib.types; listOf (submodule ({ ... }: {
+ options = {
+ domain = mkOption {
+ description = "Username, groupname, or wildcard this limit applies to";
+ example = "@wheel";
+ type = str;
+ };
+
+ type = mkOption {
+ description = "Type of this limit";
+ type = enum [ "-" "hard" "soft" ];
+ default = "-";
+ };
+
+ item = mkOption {
+ description = "Item this limit applies to";
+ type = enum [
+ "core"
+ "data"
+ "fsize"
+ "memlock"
+ "nofile"
+ "rss"
+ "stack"
+ "cpu"
+ "nproc"
+ "as"
+ "maxlogins"
+ "maxsyslogins"
+ "priority"
+ "locks"
+ "sigpending"
+ "msgqueue"
+ "nice"
+ "rtprio"
+ ];
+ };
+
+ value = mkOption {
+ description = "Value of this limit";
+ type = oneOf [ str int ];
+ };
+ };
+ }));
+
motd = pkgs.writeText "motd" config.users.motd;
makePAMService = name: service:
@@ -669,6 +719,7 @@ in
security.pam.loginLimits = mkOption {
default = [];
+ type = limitsType;
example =
[ { domain = "ftp";
type = "hard";
@@ -688,7 +739,8 @@ in
domain, type,
item, and value
attribute. The syntax and semantics of these attributes
- must be that described in the limits.conf(5) man page.
+ must be that described in limits.conf
+ 5.
Note that these limits do not apply to systemd services,
whose limits can be changed via