From 8a88b8b0b5924f8ed00a49e79714cb005cffc7cb Mon Sep 17 00:00:00 2001 From: Brian Cully Date: Tue, 18 Jul 2023 10:06:16 -0400 Subject: services: Add pam-mount-volume-service-type. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The `pam-mount-volumes-service-type' adds additional volumes to the pam-mount-service-type in addition to any that are already specified in `pam-mount-rules'. * doc/guix.texi (PAM Mount Volume Service): add documentation for `pam-mount-service-type'. * gnu/services/pam-mount.scm: new file. * Makefile.am: add pam-mount tests * tests/services/pam-mount.scm: new tests Signed-off-by: Ludovic Courtès --- doc/guix.texi | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) (limited to 'doc') diff --git a/doc/guix.texi b/doc/guix.texi index 65ca18a1be..71f9f29169 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -116,6 +116,7 @@ Copyright @copyright{} 2022 Antero Mejr@* Copyright @copyright{} 2023 Karl Hallsby@* Copyright @copyright{} 2023 Nathaniel Nicandro@* Copyright @copyright{} 2023 Tanguy Le Carrour@* +Copyright @copyright{} 2023 Brian Cully@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -37927,6 +37928,104 @@ The complete list of possible options can be found in the man page for @end table @end deftp +@subheading PAM Mount Volume Service +@cindex pam volume mounting + +PAM mount volumes are automatically mounted at login by the PAM login +service according to a set of per-volume rules. Because they are +mounted by PAM the password entered during login may be used directly to +mount authenticated volumes, such as @code{cifs}, using the same +credentials. + +These volumes will be added in addition to any volumes directly +specified in @code{pam-mount-rules}. + +Here is an example of a rule which will mount a remote CIFS share from +@file{//remote-server/share} into a sub-directory of @file{/shares} +named after the user logging in: + +@lisp +(simple-service 'pam-mount-remote-share pam-mount-volume-service-type + (list (pam-mount-volume + (secondary-group "users") + (file-system-type "cifs") + (server "remote-server") + (file-name "share") + (mount-point "/shares/%(USER)") + (options "nosuid,nodev,seal,cifsacl")))) +@end lisp + +@deftp {Data Type} pam-mount-volume-service-type +Configuration for a single volume to be mounted. Any fields not +specified will be omitted from the run-time PAM configuration. See +@uref{http://pam-mount.sourceforge.net/pam_mount.conf.5.html, +the man page} for the default values when unspecified. + +@table @asis +@item @code{user-name} (type: maybe-string) +Mount the volume for the given user. + +@item @code{user-id} (type: maybe-integer-or-range) +Mount the volume for the user with this ID. This field may also be +specified as a pair of @code{(start . end)} indicating a range of user +IDs for whom to mount the volume. + +@item @code{primary-group} (type: maybe-string) +Mount the volume for users with this primary group name. + +@item @code{group-id} (type: maybe-integer-or-range) +Mount the volume for the users with this primary group ID. This field +may also be specified as a cons cell of @code{(start . end)} indicating +a range of group ids for whom to mount the volume. + +@item @code{secondary-group} (type: maybe-string) +Mount the volume for users who are members of this group as either a +primary or secondary group. + +@item @code{file-system-type} (type: maybe-string) +The file system type for the volume being mounted (e.g., @code{cifs}) + +@item @code{no-mount-as-root?} (type: maybe-boolean) +Whether or not to mount the volume with root privileges. This is +normally disabled, but may be enabled for mounts of type @code{fuse}, or +other user-level mounts. + +@item @code{server} (type: maybe-string) +The name of the remote server to mount the volume from, when necessary. + +@item @code{file-name} (type: maybe-string) +The location of the volume, either local or remote, depending on the +@code{file-system-type}. + +@item @code{mount-point} (type: maybe-string) +Where to mount the volume in the local file-system. This may be set to +@file{~} to indicate the home directory of the user logging in. If this +field is omitted then @file{/etc/fstab} is consulted for the mount +destination. + +@item @code{options} (type: maybe-string) +The options to be passed as-is to the underlying mount program. + +@item @code{ssh?} (type: maybe-boolean) +Enable this option to pass the login password to SSH for use with mounts +involving SSH (e.g., @code{sshfs}). + +@item @code{cipher} (type: maybe-string) +Cryptsetup cipher name for the volume. To be used with the @code{crypt} +@code{file-system-type}. + +@item @code{file-system-key-cipher} (type: maybe-string) +Cipher name used by the target volume. + +@item @code{file-system-key-hash} (type: maybe-string) +SSL hash name used by the target volume. + +@item @code{file-system-key-file-name} (type: maybe-string) +File name of the file system key for the target volume. + +@end table +@end deftp + @node Guix Services @subsection Guix Services -- cgit v1.2.3