NixOS · rnhmjoj · May 5, 2020 · May 5, 2020 · rnhmjoj · May 5, 2020
diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix
@@ -24,22 +24,6 @@ let
     motd=${boolToStr cfg.motd}
     accept_env_factor=${boolToStr cfg.acceptEnvFactor}
   '';
-
-  loginCfgFile = optionalAttrs cfg.ssh.enable {
-    "duo/login_duo.conf" =
-      { source = pkgs.writeText "login_duo.conf" configFileLogin;
-        mode   = "0600";
-        user   = "sshd";
-      };
-  };
-
-  pamCfgFile = optional cfg.pam.enable {
-    "duo/pam_duo.conf" =
-      { source = pkgs.writeText "pam_duo.conf" configFilePam;
-        mode   = "0600";
-        user   = "sshd";
-      };
-  };
 in
 {
   imports = [
@@ -198,7 +182,18 @@ in
      environment.systemPackages = [ pkgs.duo-unix ];
 
      security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo";
-     environment.etc = loginCfgFile // pamCfgFile;
+
+     environment.etc."duo/login_duo.conf" = mkIf cfg.ssh.enable
+       { source = pkgs.writeText "login_duo.conf" configFileLogin;
+         mode = "0600";
+         user = "sshd";
+       };
+
+     environment.etc."duo/pam_duo.conf" = mkIf cfg.pam.enable
+       { source = pkgs.writeText "pam_duo.conf" configFilePam;
+         mode = "0600";
+         user = "sshd";
+       };
 
      /* If PAM *and* SSH are enabled, then don't do anything special.
      If PAM isn't used, set the default SSH-only options. */