mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2025-01-25 12:09:15 -05:00
services: Add pam-mount.
* gnu/services/pam-mount.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. * doc/guix.texi (PAM Mount Service): New subsection. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
This commit is contained in:
parent
055f052574
commit
c1c6650e28
3 changed files with 197 additions and 0 deletions
|
@ -68,6 +68,7 @@ Copyright @copyright{} 2019 Ivan Petkov@*
|
|||
Copyright @copyright{} 2019 Jakob L. Kreuze@*
|
||||
Copyright @copyright{} 2019 Kyle Andrews@*
|
||||
Copyright @copyright{} 2019 Alex Griffin@*
|
||||
Copyright @copyright{} 2019 Guillaume Le Vaillant@*
|
||||
|
||||
Permission is granted to copy, distribute and/or modify this document
|
||||
under the terms of the GNU Free Documentation License, Version 1.3 or
|
||||
|
@ -305,6 +306,7 @@ Services
|
|||
* Virtualization Services:: Virtualization services.
|
||||
* Version Control Services:: Providing remote access to Git repositories.
|
||||
* Game Services:: Game servers.
|
||||
* PAM Mount Service:: Service to mount volumes when logging in.
|
||||
* Miscellaneous Services:: Other services.
|
||||
|
||||
Defining Services
|
||||
|
@ -11931,6 +11933,7 @@ declaration.
|
|||
* Virtualization Services:: Virtualization services.
|
||||
* Version Control Services:: Providing remote access to Git repositories.
|
||||
* Game Services:: Game servers.
|
||||
* PAM Mount Service:: Service to mount volumes when logging in.
|
||||
* Guix Services:: Services relating specifically to Guix.
|
||||
* Miscellaneous Services:: Other services.
|
||||
@end menu
|
||||
|
@ -24656,6 +24659,88 @@ The port to bind the server to.
|
|||
@end deftp
|
||||
|
||||
|
||||
@node PAM Mount Service
|
||||
@subsection PAM Mount Service
|
||||
@cindex pam-mount
|
||||
|
||||
The @code{(gnu services pam-mount)} module provides a service allowing
|
||||
users to mount volumes when they log in. It should be able to mount any
|
||||
volume format supported by the system.
|
||||
|
||||
@defvar {Scheme Variable} pam-mount-service-type
|
||||
Service type for PAM Mount support.
|
||||
@end defvar
|
||||
|
||||
@deftp {Data Type} pam-mount-configuration
|
||||
Data type representing the configuration of PAM Mount.
|
||||
|
||||
It takes the following parameters:
|
||||
|
||||
@table @asis
|
||||
@item @code{rules}
|
||||
The configuration rules that will be used to generate
|
||||
@file{/etc/security/pam_mount.conf.xml}.
|
||||
|
||||
The configuration rules are SXML elements, and the the default ones
|
||||
don't mount anything for anyone at login:
|
||||
|
||||
@lisp
|
||||
`((debug (@@ (enable "0")))
|
||||
(mntoptions (@@ (allow ,(string-join
|
||||
'("nosuid" "nodev" "loop"
|
||||
"encryption" "fsck" "nonempty"
|
||||
"allow_root" "allow_other")
|
||||
","))))
|
||||
(mntoptions (@@ (require "nosuid,nodev")))
|
||||
(logout (@@ (wait "0")
|
||||
(hup "0")
|
||||
(term "no")
|
||||
(kill "no")))
|
||||
(mkmountpoint (@@ (enable "1")
|
||||
(remove "true"))))
|
||||
@end lisp
|
||||
|
||||
Some @code{volume} elements must be added to automatically mount volumes
|
||||
at login. Here's an example allowing the user @code{alice} to mount her
|
||||
encrypted @code{HOME} directory and allowing the user @code{bob} to mount
|
||||
the partition where he stores his data:
|
||||
|
||||
@lisp
|
||||
(define pam-mount-rules
|
||||
`((debug (@@ (enable "0")))
|
||||
(volume (@@ (user "alice")
|
||||
(fstype "crypt")
|
||||
(path "/dev/sda2")
|
||||
(mountpoint "/home/alice")))
|
||||
(volume (@@ (user "bob")
|
||||
(fstype "auto")
|
||||
(path "/dev/sdb3")
|
||||
(mountpoint "/home/bob/data")
|
||||
(options "defaults,autodefrag,compress")))
|
||||
(mntoptions (@@ (allow ,(string-join
|
||||
'("nosuid" "nodev" "loop"
|
||||
"encryption" "fsck" "nonempty"
|
||||
"allow_root" "allow_other")
|
||||
","))))
|
||||
(mntoptions (@@ (require "nosuid,nodev")))
|
||||
(logout (@@ (wait "0")
|
||||
(hup "0")
|
||||
(term "no")
|
||||
(kill "no")))
|
||||
(mkmountpoint (@@ (enable "1")
|
||||
(remove "true")))))
|
||||
|
||||
(service pam-mount-service-type
|
||||
(pam-mount-configuration
|
||||
(rules pam-mount-rules)))
|
||||
@end lisp
|
||||
|
||||
The complete list of possible options can be found in the man page for
|
||||
@uref{http://pam-mount.sourceforge.net/pam_mount.conf.5.html, pam_mount.conf}.
|
||||
@end table
|
||||
@end deftp
|
||||
|
||||
|
||||
@node Guix Services
|
||||
@subsection Guix Services
|
||||
|
||||
|
|
|
@ -551,6 +551,7 @@ GNU_SYSTEM_MODULES = \
|
|||
%D%/services/networking.scm \
|
||||
%D%/services/nix.scm \
|
||||
%D%/services/nfs.scm \
|
||||
%D%/services/pam-mount.scm \
|
||||
%D%/services/security-token.scm \
|
||||
%D%/services/shepherd.scm \
|
||||
%D%/services/sound.scm \
|
||||
|
|
111
gnu/services/pam-mount.scm
Normal file
111
gnu/services/pam-mount.scm
Normal file
|
@ -0,0 +1,111 @@
|
|||
;;; GNU Guix --- Functional package management for GNU
|
||||
;;; Copyright © 2019 Guillaume Le Vaillant <glv@posteo.net>
|
||||
;;;
|
||||
;;; This file is part of GNU Guix.
|
||||
;;;
|
||||
;;; GNU Guix is free software; you can redistribute it and/or modify it
|
||||
;;; under the terms of the GNU General Public License as published by
|
||||
;;; the Free Software Foundation; either version 3 of the License, or (at
|
||||
;;; your option) any later version.
|
||||
;;;
|
||||
;;; GNU Guix is distributed in the hope that it will be useful, but
|
||||
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
;;; GNU General Public License for more details.
|
||||
;;;
|
||||
;;; You should have received a copy of the GNU General Public License
|
||||
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
(define-module (gnu services pam-mount)
|
||||
#:use-module (gnu packages admin)
|
||||
#:use-module (gnu services)
|
||||
#:use-module (gnu services configuration)
|
||||
#:use-module (gnu system pam)
|
||||
#:use-module (guix gexp)
|
||||
#:use-module (guix records)
|
||||
#:export (pam-mount-configuration
|
||||
pam-mount-configuration?
|
||||
pam-mount-service-type))
|
||||
|
||||
(define %pam-mount-default-configuration
|
||||
`((debug (@ (enable "0")))
|
||||
(mntoptions (@ (allow ,(string-join
|
||||
'("nosuid" "nodev" "loop"
|
||||
"encryption" "fsck" "nonempty"
|
||||
"allow_root" "allow_other")
|
||||
","))))
|
||||
(mntoptions (@ (require "nosuid,nodev")))
|
||||
(logout (@ (wait "0")
|
||||
(hup "0")
|
||||
(term "no")
|
||||
(kill "no")))
|
||||
(mkmountpoint (@ (enable "1")
|
||||
(remove "true")))))
|
||||
|
||||
(define (make-pam-mount-configuration-file config)
|
||||
(computed-file
|
||||
"pam_mount.conf.xml"
|
||||
#~(begin
|
||||
(use-modules (sxml simple))
|
||||
(call-with-output-file #$output
|
||||
(lambda (port)
|
||||
(sxml->xml
|
||||
'(*TOP*
|
||||
(*PI* xml "version='1.0' encoding='utf-8'")
|
||||
(pam_mount
|
||||
#$@(pam-mount-configuration-rules config)
|
||||
(pmvarrun
|
||||
#$(file-append pam-mount
|
||||
"/sbin/pmvarrun -u '%(USER)' -o '%(OPERATION)'"))
|
||||
(cryptmount
|
||||
#$(file-append pam-mount
|
||||
(string-append
|
||||
"/sbin/mount.crypt"
|
||||
" '%(if %(CIPHER),-ocipher=%(CIPHER))'"
|
||||
" '%(if %(FSKEYCIPHER),"
|
||||
"-ofsk_cipher=%(FSKEYCIPHER))'"
|
||||
" '%(if %(FSKEYHASH),-ofsk_hash=%(FSKEYHASH))'"
|
||||
" '%(if %(FSKEYPATH),-okeyfile=%(FSKEYPATH))'"
|
||||
" '%(if %(OPTIONS),-o%(OPTIONS))'"
|
||||
" '%(VOLUME)' '%(MNTPT)'")))
|
||||
(cryptumount
|
||||
#$(file-append pam-mount "/sbin/umount.crypt '%(MNTPT)'"))))
|
||||
port))))))
|
||||
|
||||
(define-record-type* <pam-mount-configuration>
|
||||
pam-mount-configuration
|
||||
make-pam-mount-configuration
|
||||
pam-mount-configuration?
|
||||
(rules pam-mount-configuration-rules
|
||||
(default %pam-mount-default-configuration)))
|
||||
|
||||
(define (pam-mount-etc-service config)
|
||||
`(("security/pam_mount.conf.xml"
|
||||
,(make-pam-mount-configuration-file config))))
|
||||
|
||||
(define (pam-mount-pam-service config)
|
||||
(define optional-pam-mount
|
||||
(pam-entry
|
||||
(control "optional")
|
||||
(module #~(string-append #$pam-mount "/lib/security/pam_mount.so"))))
|
||||
(list (lambda (pam)
|
||||
(if (member (pam-service-name pam)
|
||||
'("login" "su" "slim" "gdm-password"))
|
||||
(pam-service
|
||||
(inherit pam)
|
||||
(auth (append (pam-service-auth pam)
|
||||
(list optional-pam-mount)))
|
||||
(session (append (pam-service-session pam)
|
||||
(list optional-pam-mount))))
|
||||
pam))))
|
||||
|
||||
(define pam-mount-service-type
|
||||
(service-type
|
||||
(name 'pam-mount)
|
||||
(extensions (list (service-extension etc-service-type
|
||||
pam-mount-etc-service)
|
||||
(service-extension pam-root-service-type
|
||||
pam-mount-pam-service)))
|
||||
(default-value (pam-mount-configuration))
|
||||
(description "Activate PAM-Mount support. It allows mounting volumes for
|
||||
specific users when they log in.")))
|
Loading…
Reference in a new issue