diff --git a/m/fox/configuration.nix b/m/fox/configuration.nix index 8c381f86..b9549db8 100644 --- a/m/fox/configuration.nix +++ b/m/fox/configuration.nix @@ -93,20 +93,4 @@ wantedBy = [ "multi-user.target" ]; serviceConfig.ExecStart = script; }; - - # Only allow SSH connections from users who have a SLURM allocation - # See: https://slurm.schedmd.com/pam_slurm_adopt.html - security.pam.services.sshd.rules.account.slurm = { - control = "required"; - enable = true; - modulePath = "${pkgs.slurm}/lib/security/pam_slurm_adopt.so"; - args = [ "log_level=debug5" ]; - order = 999999; # Make it last one - }; - - # Disable systemd session (pam_systemd.so) as it will conflict with the - # pam_slurm_adopt.so module. What happens is that the shell is first adopted - # into the slurmstepd task and then into the systemd session, which is not - # what we want, otherwise it will linger even if all jobs are gone. - security.pam.services.sshd.startSession = lib.mkForce false; } diff --git a/m/module/slurm-client.nix b/m/module/slurm-client.nix index deec8441..66ad71cb 100644 --- a/m/module/slurm-client.nix +++ b/m/module/slurm-client.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ lib, pkgs, ... }: { imports = [ @@ -21,4 +21,20 @@ }; services.slurm.client.enable = true; + + # Only allow SSH connections from users who have a SLURM allocation + # See: https://slurm.schedmd.com/pam_slurm_adopt.html + security.pam.services.sshd.rules.account.slurm = { + control = "required"; + enable = true; + modulePath = "${pkgs.slurm}/lib/security/pam_slurm_adopt.so"; + args = [ "log_level=debug5" ]; + order = 999999; # Make it last one + }; + + # Disable systemd session (pam_systemd.so) as it will conflict with the + # pam_slurm_adopt.so module. What happens is that the shell is first adopted + # into the slurmstepd task and then into the systemd session, which is not + # what we want, otherwise it will linger even if all jobs are gone. + security.pam.services.sshd.startSession = lib.mkForce false; }