services: slim: Add pam-gnupg support.

* gnu/system/pam.scm (unix-pam-service): Add account and session PAM entries for pam-gnupg. Don't pass "#f" to "allow-root?" argument, because "lambda*" already does this by default. * doc/guix.texi (X Window): Document this. * gnu/services/xorg.scm (<slim-configuration>)[gnupg?]: New record field. (slim-pam-service): Pass "#:gnupg?" argument to "unix-pam-service".
2021-03-21 21:34:07 +03:00 · 2021-03-21 21:34:07 +03:00 · b948ab8b56
parent ef4a931532
commit b948ab8b56
3 changed files with 31 additions and 5 deletions
--- a/doc/guix.texi
+++ b/doc/guix.texi
@ -18065,6 +18065,14 @@ Data type representing the configuration of @code{slim-service-type}.
@item @code{allow-empty-passwords?} (default: @code{#t})
 Whether to allow logins with empty passwords.

+@item @code{gnupg?} (default: @code{#f})
+If enabled, @code{pam-gnupg} will attempt to automatically unlock the
+user's GPG keys with the login password via @code{gpg-agent}.  The
+keygrips of all keys to be unlocked should be written to
+@file{~/.pam-gnupg}, and can be queried with @code{gpg -K
+--with-keygrip}.  Presetting passphrases must be enabled by adding
+@code{allow-preset-passphrase} in @file{~/.gnupg/gpg-agent.conf}.
+
@item @code{auto-login?} (default: @code{#f})
@itemx @code{default-user} (default: @code{""})
 When @code{auto-login?} is false, SLiM presents a log-in screen.
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@ -9,6 +9,7 @@
 ;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net>
 ;;; Copyright © 2020 Alex Griffin <a@ajgrf.com>
 ;;; Copyright © 2021 Brice Waegeneire <brice@waegenei.re>
+;;; Copyright © 2021 Oleg Pykhalov <go.wigust@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@ -543,6 +544,8 @@ a `service-extension', as used by `set-xorg-configuration'."
        (default slim))
  (allow-empty-passwords? slim-configuration-allow-empty-passwords?
                          (default #t))
+  (gnupg? slim-configuration-gnupg?
+          (default #f))
  (auto-login? slim-configuration-auto-login?
               (default #f))
  (default-user slim-configuration-default-user
@ -572,7 +575,9 @@ a `service-extension', as used by `set-xorg-configuration'."
         "slim"
         #:login-uid? #t
         #:allow-empty-passwords?
-         (slim-configuration-allow-empty-passwords? config))))
+         (slim-configuration-allow-empty-passwords? config)
+         #:gnupg?
+         (slim-configuration-gnupg? config))))

 (define (slim-shepherd-service config)
  (let* ((xinitrc (xinitrc #:fallback-session
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@ -27,6 +27,7 @@
  #:use-module (srfi srfi-11)
  #:use-module (srfi srfi-26)
  #:use-module ((guix utils) #:select (%current-system))
+  #:use-module (gnu packages linux)
  #:export (pam-service
            pam-service-name
            pam-service-account
@ -207,14 +208,16 @@ dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE."
        (env  (pam-entry ; to honor /etc/environment.
               (control "required")
               (module "pam_env.so"))))
-    (lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd
-                   login-uid?)
+    (lambda* (name #:key allow-empty-passwords? allow-root? motd
+              login-uid? gnupg?)
      "Return a standard Unix-style PAM service for NAME.  When
 ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords.  When ALLOW-ROOT? is
 true, allow root to run the command without authentication.  When MOTD is
 true, it should be a file-like object used as the message-of-the-day.
 When LOGIN-UID? is true, require the 'pam_loginuid' module; that module sets
-/proc/self/loginuid, which the libc 'getlogin' function relies on."
+/proc/self/loginuid, which the libc 'getlogin' function relies on.  When
+GNUPG? is true, require the 'pam_gnupg.so' module; that module hands over
+the login password to 'gpg-agent'."
      ;; See <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.
      (pam-service
       (name name)
@ -229,7 +232,12 @@ When LOGIN-UID? is true, require the 'pam_loginuid' module; that module sets
                                (control "required")
                                (module "pam_unix.so")
                                (arguments '("nullok")))
-                               unix))))
+                               unix))
+                     (if gnupg?
+                         (list (pam-entry
+                                (control "required")
+                                (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
+                         '())))
       (password (list (pam-entry
                        (control "required")
                        (module "pam_unix.so")
@ -247,6 +255,11 @@ When LOGIN-UID? is true, require the 'pam_loginuid' module; that module sets
                               (control "required")
                               (module "pam_loginuid.so")))
                        '())
+                  ,@(if gnupg?
+                        (list (pam-entry
+                               (control "required")
+                               (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
+                        '())
                  ,env ,unix))))))

 (define (rootok-pam-service command)