How to restrict user login times?

I found the solution for non-NixOS systems, but I don’t know how to set this up declaratively using Nix configuration.

How might I do this? Would it be compatible with home-manager?

home-manager is irrelevant; this is system config.

Did you try just creating the file directly? Config files in /etc usually just work, since that’s the same on NixOS and outside of it.

  environment.etc."security/time.conf".text = ''
    stuff here....
  '';

Hmm.

NixOS has a lot for PAM. How would I achieve the part about adding account required pam_exec.so /usr/bin/test -r /etc/security/time.conf && /usr/bin/egrep -q "sshd;[^;]+;arazahmadov;Al1900-2300" /etc/security/time.conf to /etc/pam.d/sshd?

What would the option for that be?

Sorry if this is something considered simple in NixOS. I’m fairly new to all this.

that guide isn’t great because it assumes you have pam_time already installed… well that and it does some really weird stuff

you should configure pam_time using the NixOS module system … i would have to reference documentation to help with that and don’t have the time at the moment but many i can cycle back to this later if you’re unable to figure out our pam documentation

i poked around a bit and came up with this snippet which could be added to your configuration.nix and adjusted to your needs:

  security.pam.services.sshd.rules = {
    account = {
      time = {
        control = "required";
        modulePath = "${pkgs.pam}/lib/security/pam_time.so";
        order = 10901;
        settings = {
          debug = true;
          conffile = pkgs.writeText "time.conf" ''
            sshd;*;arazahmadov;Al1900-2300
          '';
        };
      };
    };
  };

for me this appears to create a pam configuration for ssh that you want:

aaron@framework ~/nixos (master)> cat /nix/store/29h3ickvi8cj6kfz6f85y6jkp0ycgwwf-sshd.pam                                                                                                          colmena-env
# Account management.
account required /nix/store/fgdhjn2n5gj6gb4szz20kvkibg9qih1b-linux-pam-1.6.1/lib/security/pam_unix.so # unix (order 10900)
account required /nix/store/fgdhjn2n5gj6gb4szz20kvkibg9qih1b-linux-pam-1.6.1/lib/security/pam_time.so conffile=/nix/store/71r2rnc3n9wvy7lmfma9ni4lg9vz3r9q-time.conf debug # time (order 10901)

# Authentication management.
auth sufficient /nix/store/lh1mg836l4hjn01chrzn953mwfbjgfvz-fprintd-1.94.4/lib/security/pam_fprintd.so # fprintd (order 11400)
auth required /nix/store/fgdhjn2n5gj6gb4szz20kvkibg9qih1b-linux-pam-1.6.1/lib/security/pam_deny.so # deny (order 12400)

# Password management.
password sufficient /nix/store/fgdhjn2n5gj6gb4szz20kvkibg9qih1b-linux-pam-1.6.1/lib/security/pam_unix.so nullok yescrypt # unix (order 10200)

# Session management.
session required /nix/store/fgdhjn2n5gj6gb4szz20kvkibg9qih1b-linux-pam-1.6.1/lib/security/pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)
session required /nix/store/fgdhjn2n5gj6gb4szz20kvkibg9qih1b-linux-pam-1.6.1/lib/security/pam_unix.so # unix (order 10200)
session required /nix/store/fgdhjn2n5gj6gb4szz20kvkibg9qih1b-linux-pam-1.6.1/lib/security/pam_loginuid.so # loginuid (order 10300)
session optional /nix/store/3abwqv1a1bdycmgaydzfw3a0qzxwk8am-systemd-256.8/lib/security/pam_systemd.so # systemd (order 12000)
session required /nix/store/fgdhjn2n5gj6gb4szz20kvkibg9qih1b-linux-pam-1.6.1/lib/security/pam_limits.so conf=/nix/store/2sj4krpwpmbff9qbxg36pzj3n1v166sq-limits.conf # limits (order 12200)

btw this seems like a much better article than the one you linked, maybe you can refer to it when tweaking the nix code i provided you with


please let us know how it goes, i didn’t test this at all