Skip to content

Commit

Permalink
fix(login): add custom PAM rules for desktop login
Browse files Browse the repository at this point in the history
  - remove fprint auth from greetd as user home needs decryption
  - add custom rule to require users to be in group 'video', preventing
    admin login on GUI
  - remove older 'desktop' group in favor of 'video'
  - fix user creation script to disallow creating user duplicates
  - fix user creation script to allow '-' characters in name
  - move ollama persistent directory to service, removing failing ollama
    user/group setting
  - move XDG parameters from gui-vm to labc config

Signed-off-by: Manuel Bluhm <[email protected]>
  • Loading branch information
mbssrc authored and brianmcgillion committed Jan 9, 2025
1 parent 606a182 commit 489db31
Show file tree
Hide file tree
Showing 7 changed files with 67 additions and 59 deletions.
6 changes: 4 additions & 2 deletions modules/common/users/admin.nix
Original file line number Diff line number Diff line change
Expand Up @@ -93,10 +93,12 @@ in
extraGroups =
[
"wheel"
"video"
]
++ cfg.extraGroups
++ optionals cfg.createHome [ "desktop" ]
++ optionals cfg.createHome [
"audio"
"video"
]
++ optionals config.security.tpm2.enable [ "tss" ]
++ optionals config.ghaf.virtualization.docker.daemon.enable [ "docker" ];
};
Expand Down
15 changes: 6 additions & 9 deletions modules/common/users/desktop.nix
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,10 @@ let
extraGroups = mkOption {
description = "Extra groups for the login user.";
type = types.listOf types.str;
default = [ ];
default = [
"audio"
"video"
];
};
homeSize = mkOption {
description = ''
Expand Down Expand Up @@ -137,12 +140,6 @@ in
members = [ cfg.appUser.name ];
};
})
{
"desktop" = {
name = "desktop";
members = [ ];
};
}
];
};
}
Expand Down Expand Up @@ -177,9 +174,9 @@ in
echo -n "Enter your user name: "
read -e -r USERNAME
USERNAME=''${USERNAME// /_}
USERNAME=''${USERNAME//[^a-zA-Z0-9_]/}
USERNAME=''${USERNAME//[^a-zA-Z0-9_-]/}
USERNAME=''$(echo -n "$USERNAME" | tr '[:upper:]' '[:lower:]')
if grep -q -w "$USERNAME:" /etc/passwd; then
if grep -q "$USERNAME:" /etc/passwd; then
echo "User $USERNAME already exists. Please choose another user name."
else
ACCEPTABLE_USER=true
Expand Down
30 changes: 27 additions & 3 deletions modules/desktop/graphics/labwc.nix
Original file line number Diff line number Diff line change
Expand Up @@ -162,12 +162,37 @@ in
XDG_DATA_HOME = "$HOME/.local/share";
XDG_STATE_HOME = "$HOME/.local/state";
XDG_CACHE_HOME = "$HOME/.cache";
XDG_PICTURES_DIR = "$HOME/Pictures";
XDG_VIDEOS_DIR = "$HOME/Videos";
GSETTINGS_SCHEMA_DIR = "${pkgs.gsettings-desktop-schemas}/share/gsettings-schemas/${pkgs.gsettings-desktop-schemas.name}/glib-2.0/schemas";
};
};

# It will create a /etc/pam.d/ file for authentication
security.pam.services.gtklock = { };
# Create custom PAM rules
security.pam.services = {
gtklock = {
rules.auth = {
systemd_home.order = 11399; # Re-order to allow either password _or_ fingerprint
fprintd.args = [ "maxtries=3" ];
};
};
greetd = {
fprintAuth = false; # User needs to enter password to decrypt home
rules = {
account.group = {
enable = true;
control = "requisite";
modulePath = "${pkgs.linux-pam}/lib/security/pam_succeed_if.so";
order = 10000;
args = [
"user"
"ingroup"
"video"
];
};
};
};
};

# Needed for power commands
security.polkit.enable = true;
Expand All @@ -179,7 +204,6 @@ in
BindsTo = [ "graphical-session.target" ];
After = [ "graphical-session-pre.target" ];
Wants = [ "graphical-session-pre.target" ];
ConditionGroup = "desktop";
};
};

Expand Down
1 change: 0 additions & 1 deletion modules/microvm/virtualization/microvm/audiovm.nix
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,6 @@ let
enable = true;
extraGroups = [
"audio"
"video"
"pipewire"
];
};
Expand Down
24 changes: 1 addition & 23 deletions modules/microvm/virtualization/microvm/guivm.nix
Original file line number Diff line number Diff line change
Expand Up @@ -72,17 +72,7 @@ let
applications.enable = false;
graphics.enable = true;
};
users = {
loginUser = {
enable = true;
extraGroups = [
"audio"
"video"
"desktop"
];
};
};

users.loginUser.enable = true;
development = {
ssh.daemon.enable = lib.mkDefault config.ghaf.development.ssh.daemon.enable;
debug.tools.enable = lib.mkDefault config.ghaf.development.debug.tools.enable;
Expand All @@ -108,14 +98,6 @@ let
storagevm = {
enable = true;
name = vmName;
directories = [
{
directory = "/var/lib/private/ollama";
user = "ollama";
group = "ollama";
mode = "u=rwx,g=,o=";
}
];
};

# Services
Expand Down Expand Up @@ -219,10 +201,6 @@ let
pkgs.libva-utils
pkgs.glib
];
sessionVariables = {
XDG_PICTURES_DIR = "$HOME/Pictures";
XDG_VIDEOS_DIR = "$HOME/Videos";
};
};

time.timeZone = config.time.timeZone;
Expand Down
4 changes: 1 addition & 3 deletions modules/microvm/virtualization/microvm/microvm-host.nix
Original file line number Diff line number Diff line change
Expand Up @@ -134,15 +134,13 @@ in
'';
};
in
mkIf config.ghaf.profiles.debug.enable {
{
description = "Remove ghaf login users";
enable = true;
path = [ userRemovalScript ];
unitConfig.ConditionPathExists = "/storagevm/gui-vm/var/lib/nixos/user.lock";
serviceConfig = {
Type = "oneshot";
StandardOutput = "journal";
StandardError = "journal";
ExecStart = "${userRemovalScript}/bin/remove-users";
};
};
Expand Down
46 changes: 28 additions & 18 deletions modules/reference/services/ollama/ollama.nix
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,23 @@
}:
let
cfg = config.ghaf.reference.services;
inherit (lib) mkIf;
inherit (lib) mkIf optionalAttrs;
in
{
config = mkIf cfg.ollama {
services.ollama = {
enable = true;
openFirewall = true;
host = "0.0.0.0";
host = "127.0.0.1";
};

ghaf = optionalAttrs (builtins.hasAttr "storagevm" config.ghaf) {
storagevm.directories = [
{
directory = "/var/lib/private/ollama";
mode = "u=rwx,g=,o=";
}
];
};

environment.systemPackages = [
Expand Down Expand Up @@ -72,23 +81,24 @@ in
# its own.
system.userActivationScripts.alpaca-configure = {
text = ''
source ${config.system.build.setEnvironment}
mkdir -p $HOME/.config/com.jeffser.Alpaca
cat <<EOF > $HOME/.config/com.jeffser.Alpaca/server.json
[[ "$UID" != ${toString config.ghaf.users.loginUser.uid} ]] && exit 0
source ${config.system.build.setEnvironment}
mkdir -p $HOME/.config/com.jeffser.Alpaca
cat <<EOF > $HOME/.config/com.jeffser.Alpaca/server.json
{
"remote_url": "http://localhost:11434",
"remote_bearer_token": "",
"run_remote": true,
"local_port": 11435,
"run_on_background": false,
"powersaver_warning": true,
"model_tweaks": {
"temperature": 0.7,
"seed": 0,
"keep_alive": 5
},
"ollama_overrides": {},
"idle_timer": 0
"remote_url": "http://localhost:11434",
"remote_bearer_token": "",
"run_remote": true,
"local_port": 11435,
"run_on_background": false,
"powersaver_warning": true,
"model_tweaks": {
"temperature": 0.7,
"seed": 0,
"keep_alive": 5
},
"ollama_overrides": {},
"idle_timer": 0
}
EOF
'';
Expand Down

0 comments on commit 489db31

Please sign in to comment.