diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index c686a6861d0fc..5c791edcf8f00 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -24,22 +24,6 @@ let motd=${boolToStr cfg.motd} accept_env_factor=${boolToStr cfg.acceptEnvFactor} ''; - - loginCfgFile = optionalAttrs cfg.ssh.enable { - "duo/login_duo.conf" = - { source = pkgs.writeText "login_duo.conf" configFileLogin; - mode = "0600"; - user = "sshd"; - }; - }; - - pamCfgFile = optional cfg.pam.enable { - "duo/pam_duo.conf" = - { source = pkgs.writeText "pam_duo.conf" configFilePam; - mode = "0600"; - user = "sshd"; - }; - }; in { imports = [ @@ -198,7 +182,18 @@ in environment.systemPackages = [ pkgs.duo-unix ]; security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo"; - environment.etc = loginCfgFile // pamCfgFile; + + environment.etc."duo/login_duo.conf" = mkIf cfg.ssh.enable + { source = pkgs.writeText "login_duo.conf" configFileLogin; + mode = "0600"; + user = "sshd"; + }; + + environment.etc."duo/pam_duo.conf" = mkIf cfg.pam.enable + { source = pkgs.writeText "pam_duo.conf" configFilePam; + mode = "0600"; + user = "sshd"; + }; /* If PAM *and* SSH are enabled, then don't do anything special. If PAM isn't used, set the default SSH-only options. */