refactor(fprintd): add grosshack conf at top of pam conf

2024-02-07 15:32:27 -05:00 · 2024-02-07 15:32:27 -05:00 · 168191e3a3
parent 606348d77c
commit 168191e3a3
1 changed files with 16 additions and 68 deletions
--- a/devices/wim/modules/security.nix
+++ b/devices/wim/modules/security.nix
@ -1,12 +1,19 @@
 {
-  pkgs,
-  lib,
  config,
+  lib,
  ...
 }: let
-  grosshack = config.customPkgs.pam-fprint-grosshack;
-  grosshackSo = "${grosshack}/lib/security/pam_fprintd_grosshack.so";
-  gnomeSo = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so";
+  inherit (lib) mkDefault mkBefore;
+  inherit (config.customPkgs) pam-fprint-grosshack;
+
+  pam_fprintd_grosshackSo = "${pam-fprint-grosshack}/lib/security/pam_fprintd_grosshack.so";
+
+  # https://wiki.archlinux.org/title/Fprint#Login_configuration
+  grosshackConf = ''
+    # pam-fprint-grosshack
+    auth		sufficient  	${pam_fprintd_grosshackSo} timeout=99
+    auth		sufficient  	pam_unix.so try_first_pass nullok
+  '';
 in {
  services.fprintd.enable = true;

@ -22,69 +29,10 @@ in {
    Defaults        timestamp_timeout=600
  '';

+  # https://stackoverflow.com/a/47041843
  security.pam.services = {
-    # all the changes in /etc/pam.d/*
-    sddm.text = lib.mkBefore ''
-      auth      [success=1 new_authtok_reqd=1 default=ignore]  	pam_unix.so try_first_pass likeauth nullok
-      auth      sufficient    ${pkgs.fprintd}/lib/security/pam_fprintd.so
-    '';
-
-    sudo.text = ''
-      # Account management.
-      auth    sufficient    ${grosshackSo}
-      auth    sufficient    pam_unix.so try_first_pass nullok
-      account required pam_unix.so
-
-      # Authentication management.
-      auth required pam_deny.so
-
-      # Password management.
-      password sufficient pam_unix.so nullok yescrypt
-
-      # Session management.
-      session required pam_env.so conffile=/etc/pam/environment readenv=0
-      session required pam_unix.so
-    '';
-
-    login.text = ''
-      # Account management.
-      account required pam_unix.so
-
-      # Authentication management.
-      auth    sufficient    ${grosshackSo}
-      auth optional pam_unix.so nullok  likeauth
-      auth optional ${gnomeSo}
-      auth    sufficient    pam_unix.so try_first_pass nullok
-      auth required pam_deny.so
-
-      # Password management.
-      password sufficient pam_unix.so nullok yescrypt
-      password optional ${gnomeSo} use_authtok
-
-      # Session management.
-      session required pam_env.so conffile=/etc/pam/environment readenv=0
-      session required pam_unix.so
-      session required pam_loginuid.so
-      session required ${pkgs.pam}/lib/security/pam_lastlog.so silent
-      session optional ${pkgs.systemd}/lib/security/pam_systemd.so
-      session optional ${gnomeSo} auto_start
-    '';
-
-    polkit-1.text = ''
-      # Account management.
-      account required pam_unix.so
-
-      # Authentication management.
-      auth    sufficient    ${grosshackSo}
-      auth    sufficient    pam_unix.so try_first_pass nullok
-      auth required pam_deny.so
-
-      # Password management.
-      password sufficient pam_unix.so nullok yescrypt
-
-      # Session management.
-      session required pam_env.so conffile=/etc/pam/environment readenv=0
-      session required pam_unix.so
-    '';
+    sudo.text = mkDefault(mkBefore grosshackConf);
+    login.text = mkDefault(mkBefore grosshackConf);
+    polkit-1.text = mkDefault(mkBefore grosshackConf);
  };
 }