[bug#65538] [PATCH v2] services: greetd: Add pam-gnupg support.

["Ludovic Courtès" <ludo@gnu.org>]

Hello,

Carlos Durán Domínguez <wurt@wurtshell.com> skribis:

> I retry to implement the pam-gnupg module for the greetd system service. It is A PAM module that hands over your login password to gpg-agent. I added de documentation and the insert-before procedure (maybe it needs a better name), to ensure that the pam-gnupg module will be loaded at the end.
>
> * doc/guix.texi: documentation about #:gnupg? option on (greetd-configuration).
> * gnu/services.scm (insert-before): new procedure.
> * gnu/services/base.scm (greetd-configuration): new option #:gnupg?.
> * gnu/services/pam-mount.scm: ensure that pam mount module goes before pam gnupg module.
> * gnu/system/pam.scm (pam-gnupg-module?): new procedure and ensure that pam gnupg module is at the end of (unix-pam-service).

Nice work!

A minor point: the commit log should normally lists all
changed/added/removed entities.  You can use ‘git log’ to see examples,
but the committer will tweak it for you if needed (no big deal).

[...]

> +@item @code{gnupg?} (default: @code{#f})
> +If enabled, @code{pam-gnupg} will attempt to automatically unlock the
> +user's GPG keys with the login password via @code{gpg-agent}.  The
> +keygrips of all keys to be unlocked should be written to
> +@file{~/.pam-gnupg}, and can be queried with @code{gpg -K
> +--with-keygrip}.  Presetting passphrases must be enabled by adding
> +@code{allow-preset-passphrase} in @file{~/.gnupg/gpg-agent.conf}.

Perhaps you can add a cross-reference to the relevant part of the GnuPG
manual?  (With @pxref or similar.)

> +(define (insert-before pred lst1 lst2)
> +    "Return a list appending LST2 just before the first element on LST1 that
> + satisfy the predicate PRED."
> +    (cond
> +     ((null? lst1) lst2)
> +     ((pred (car lst1)) (append lst2 lst1))
> +     (else (cons (car lst1) (insert-before pred (cdr lst1) lst2)))))

I’d rather have it in (guix utils).  Also, please use ‘match’ and avoid
car/cdr as per
<https://guix.gnu.org/manual/devel/en/html_node/Data-Types-and-Pattern-Matching.html>.

>             (pam-service
>              (inherit pam)
> -            (auth (append (pam-service-auth pam)
> -                          (list optional-pam-mount)))
> -            (session (append (pam-service-session pam)
> -                             (list optional-pam-mount))))
> +            (auth (insert-before pam-gnupg-module?
> +                                 (pam-service-auth pam)
> +                                 (list optional-pam-mount)))
> +            (session (insert-before pam-gnupg-module?
> +                                   (pam-service-session pam)
> +                                   (list optional-pam-mount))))

Could you add a comment explaining why this ordering is important?

> +(define (pam-gnupg-module? name)
> +  "Return `#t' if NAME is the path to the pam-gnupg module, `#f' otherwise."
> + (equal? (pam-entry-module name)
> +         (file-append pam-gnupg "/lib/security/pam_gnupg.so")))

<package> records in general cannot be compared with ‘equal?’, so the
above procedure won’t work in the general case.  (It wouldn’t work with
custom variants of the ‘pam-gnupg’ package, too.)

Can you think of another way we could check whether a <pam-entry>
corresponds to ‘pam-gnupg’?

Thanks,
Ludo’.