From a36eff8749af4b390e0d0fc74c7f1180e4a64bf6 Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Tue, 2 Sep 2025 17:12:56 +0200
Subject: [PATCH] Revert "Remove pam_slurm_adopt from fox"

This reverts commit 1eac0fcad8211195499bc566e6c70312b31af700.

Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
---
 m/fox/configuration.nix | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/m/fox/configuration.nix b/m/fox/configuration.nix
index 198b9c12..fc35e0d1 100644
--- a/m/fox/configuration.nix
+++ b/m/fox/configuration.nix
@@ -95,4 +95,20 @@
     wantedBy = [ "multi-user.target" ];
     serviceConfig.ExecStart = script;
   };
+
+  # Only allow SSH connections from users who have a SLURM allocation
+  # See: https://slurm.schedmd.com/pam_slurm_adopt.html
+  security.pam.services.sshd.rules.account.slurm = {
+    control = "required";
+    enable = true;
+    modulePath = "${pkgs.slurm}/lib/security/pam_slurm_adopt.so";
+    args = [ "log_level=debug5" ];
+    order = 999999; # Make it last one
+  };
+
+  # Disable systemd session (pam_systemd.so) as it will conflict with the
+  # pam_slurm_adopt.so module. What happens is that the shell is first adopted
+  # into the slurmstepd task and then into the systemd session, which is not
+  # what we want, otherwise it will linger even if all jobs are gone.
+  security.pam.services.sshd.startSession = lib.mkForce false;
 }