pam_dp9ik: init at 1.5

2023-07-01 14:48:38 -05:00 · 2023-07-01 14:48:38 -05:00 · 5f97e78c64
commit 5f97e78c64
parent 17b5dc8705
3 changed files with 61 additions and 0 deletions
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -548,6 +548,9 @@ let
          (let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth ''
            auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.challengeResponsePath != null) "chalresp_path=${yubi.challengeResponsePath}"} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}
          '') +
+          (let dp9ik = config.security.pam.dp9ik; in optionalString dp9ik.enable ''
+            auth ${dp9ik.control} ${pkgs.pam_dp9ik}/lib/security/pam_p9.so ${dp9ik.authserver}
+          '') +
          optionalString cfg.fprintAuth ''
            auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so
          '' +
@ -913,6 +916,32 @@ in

    security.pam.enableOTPW = mkEnableOption (lib.mdDoc "the OTPW (one-time password) PAM module");

+    security.pam.dp9ik = {
+      enable = mkEnableOption (
+        lib.mdDoc ''
+          the dp9ik pam module provided by tlsclient.
+
+          If set, users can be authenticated against the 9front
+          authentication server given in {option}`security.pam.dp9ik.authserver`.
+        ''
+      );
+      control = mkOption {
+        default = "sufficient";
+        type = types.str;
+        description = lib.mdDoc ''
+          This option sets the pam "control" used for this module.
+        '';
+      };
+      authserver = mkOption {
+        default = null;
+        type = with types; nullOr string;
+        description = lib.mdDoc ''
+          This controls the hostname for the 9front authentication server
+          that users will be authenticated against.
+        '';
+      };
+    };
+
    security.pam.krb5 = {
      enable = mkOption {
        default = config.krb5.enable;
--- a/pkgs/os-specific/linux/pam_dp9ik/default.nix
+++ b/pkgs/os-specific/linux/pam_dp9ik/default.nix
@ -0,0 +1,30 @@
+{ lib
+, tlsclient
+, stdenv
+, pkg-config
+, pam
+}:
+
+stdenv.mkDerivation {
+  inherit (tlsclient) src version enableParallelBuilding;
+
+  pname = "pam_dp9ik";
+
+  strictDeps = true;
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ pam ];
+
+  makeFlags = [ "pam_p9.so" ];
+  installPhase = ''
+    install -Dm755 -t $out/lib/security/ pam_p9.so
+  '';
+
+  meta = with lib; {
+    description = "dp9ik pam module";
+    longDescription = "Uses tlsclient to authenticate users against a 9front auth server";
+    homepage = "https://git.sr.ht/~moody/tlsclient";
+    license = licenses.mit;
+    maintainers = with maintainers; [ moody ];
+    platforms = platforms.linux;
+  };
+}
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -27957,6 +27957,8 @@ with pkgs;

  pam_ccreds = callPackage ../os-specific/linux/pam_ccreds { };

+  pam_dp9ik = callPackage ../os-specific/linux/pam_dp9ik { };
+
  pam_gnupg = callPackage ../os-specific/linux/pam_gnupg { };

  pam_krb5 = callPackage ../os-specific/linux/pam_krb5 { };