refactor(fprintd): add grosshack conf at top of pam conf

2024-02-07 15:32:27 -05:00 · 2024-02-07 15:32:27 -05:00 · 168191e3a3
commit 168191e3a3
parent 606348d77c
1 changed files with 16 additions and 68 deletions
--- a/devices/wim/modules/security.nix
+++ b/devices/wim/modules/security.nix
@ -1,12 +1,19 @@
 {
  pkgs,
  lib,
  config,
  lib,
  ...
 }: let
-  grosshack = config.customPkgs.pam-fprint-grosshack;
+  inherit (lib) mkDefault mkBefore;
-  grosshackSo = "${grosshack}/lib/security/pam_fprintd_grosshack.so";
+  inherit (config.customPkgs) pam-fprint-grosshack;
-  gnomeSo = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so";
+
  pam_fprintd_grosshackSo = "${pam-fprint-grosshack}/lib/security/pam_fprintd_grosshack.so";
  # https://wiki.archlinux.org/title/Fprint#Login_configuration
  grosshackConf = ''
    # pam-fprint-grosshack
    auth		sufficient  	${pam_fprintd_grosshackSo} timeout=99
    auth		sufficient  	pam_unix.so try_first_pass nullok
  '';
 in {
  services.fprintd.enable = true;
@ -22,69 +29,10 @@ in {
    Defaults        timestamp_timeout=600
  '';
  # https://stackoverflow.com/a/47041843
  security.pam.services = {
-    # all the changes in /etc/pam.d/*
+    sudo.text = mkDefault(mkBefore grosshackConf);
-    sddm.text = lib.mkBefore ''
+    login.text = mkDefault(mkBefore grosshackConf);
-      auth      [success=1 new_authtok_reqd=1 default=ignore]  	pam_unix.so try_first_pass likeauth nullok
+    polkit-1.text = mkDefault(mkBefore grosshackConf);
      auth      sufficient    ${pkgs.fprintd}/lib/security/pam_fprintd.so
    '';
    sudo.text = ''
      # Account management.
      auth    sufficient    ${grosshackSo}
      auth    sufficient    pam_unix.so try_first_pass nullok
      account required pam_unix.so
      # Authentication management.
      auth required pam_deny.so
      # Password management.
      password sufficient pam_unix.so nullok yescrypt
      # Session management.
      session required pam_env.so conffile=/etc/pam/environment readenv=0
      session required pam_unix.so
    '';
    login.text = ''
      # Account management.
      account required pam_unix.so
      # Authentication management.
      auth    sufficient    ${grosshackSo}
      auth optional pam_unix.so nullok  likeauth
      auth optional ${gnomeSo}
      auth    sufficient    pam_unix.so try_first_pass nullok
      auth required pam_deny.so
      # Password management.
      password sufficient pam_unix.so nullok yescrypt
      password optional ${gnomeSo} use_authtok
      # Session management.
      session required pam_env.so conffile=/etc/pam/environment readenv=0
      session required pam_unix.so
      session required pam_loginuid.so
      session required ${pkgs.pam}/lib/security/pam_lastlog.so silent
      session optional ${pkgs.systemd}/lib/security/pam_systemd.so
      session optional ${gnomeSo} auto_start
    '';
    polkit-1.text = ''
      # Account management.
      account required pam_unix.so
      # Authentication management.
      auth    sufficient    ${grosshackSo}
      auth    sufficient    pam_unix.so try_first_pass nullok
      auth required pam_deny.so
      # Password management.
      password sufficient pam_unix.so nullok yescrypt
      # Session management.
      session required pam_env.so conffile=/etc/pam/environment readenv=0
      session required pam_unix.so
    '';
  };
 }