Merge pull request #133014 from Mic92/fix-pam

nixos: reduce pam files rebuilds on updates
2021-08-20 23:23:42 +01:00 · 2021-08-20 23:23:42 +01:00 · 9b962429be
commit 9b962429be
parent 628af8a187 1645acf1d3
6 changed files with 35 additions and 37 deletions
--- a/nixos/modules/config/system-environment.nix
+++ b/nixos/modules/config/system-environment.nix
@ -65,9 +65,7 @@ in
  };

  config = {
-
-    system.build.pamEnvironment =
-      let
+    environment.etc."pam/environment".text = let
      suffixedVariables =
        flip mapAttrs cfg.profileRelativeSessionVariables (envVar: suffixes:
          flip concatMap cfg.profiles (profile:
@ -98,9 +96,9 @@ in
            (mapAttrs (n: toList) cfg.sessionVariables)
            suffixedVariables
          ]));
-      in
-        pkgs.writeText "pam-environment" "${pamVariables}\n";
-
+    in ''
+      ${pamVariables}
+    '';
  };

 }
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -475,7 +475,7 @@ let

          # Session management.
          ${optionalString cfg.setEnvironment ''
-            session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0
+            session required pam_env.so conffile=/etc/pam/environment readenv=0
          ''}
          session required pam_unix.so
          ${optionalString cfg.setLoginUid
--- a/nixos/modules/services/wayland/cage.nix
+++ b/nixos/modules/services/wayland/cage.nix
@ -82,7 +82,7 @@ in {
      auth    required pam_unix.so nullok
      account required pam_unix.so
      session required pam_unix.so
-      session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0
+      session required pam_env.so conffile=/etc/pam/environment readenv=0
      session required ${pkgs.systemd}/lib/security/pam_systemd.so
    '';

--- a/nixos/modules/services/x11/display-managers/gdm.nix
+++ b/nixos/modules/services/x11/display-managers/gdm.nix
@ -314,7 +314,7 @@ in
        password required       pam_deny.so

        session  required       pam_succeed_if.so audit quiet_success user = gdm
-        session  required       pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0
+        session  required       pam_env.so conffile=/etc/pam/environment readenv=0
        session  optional       ${pkgs.systemd}/lib/security/pam_systemd.so
        session  optional       pam_keyinit.so force revoke
        session  optional       pam_permit.so
--- a/nixos/modules/services/x11/display-managers/lightdm.nix
+++ b/nixos/modules/services/x11/display-managers/lightdm.nix
@ -284,7 +284,7 @@ in
        password required       pam_deny.so

        session  required       pam_succeed_if.so audit quiet_success user = lightdm
-        session  required       pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0
+        session  required       pam_env.so conffile=/etc/pam/environment readenv=0
        session  optional       ${pkgs.systemd}/lib/security/pam_systemd.so
        session  optional       pam_keyinit.so force revoke
        session  optional       pam_permit.so
--- a/nixos/modules/services/x11/display-managers/sddm.nix
+++ b/nixos/modules/services/x11/display-managers/sddm.nix
@ -229,7 +229,7 @@ in
        password required       pam_deny.so

        session  required       pam_succeed_if.so audit quiet_success user = sddm
-        session  required       pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0
+        session  required       pam_env.so conffile=/etc/pam/environment readenv=0
        session  optional       ${pkgs.systemd}/lib/security/pam_systemd.so
        session  optional       pam_keyinit.so force revoke
        session  optional       pam_permit.so