little-lightning: pam_reattach.so

builders.nix

@@ -9,6 +9,18 @@ let
       self.overlays.default
       inputs.niri.overlays.niri
       inputs.lix-module.overlays.lixFromNixpkgs
+
+      (final: prev: {
+        tmux = prev.tmux.overrideAttrs (old: rec {
+          version = "3.5";
+          src = prev.fetchFromGitHub {
+            owner = "tmux";
+            repo = "tmux";
+            rev = version;
+            hash = "sha256-8CRZj7UyBhuB5QO27Y+tHG62S/eGxPOHWrwvh1aBqq0=";
+          };
+        });
+      })
     ];
   });
 

home/modules/tmux.nix

@@ -14,9 +14,9 @@ in
   config = lib.mkIf cfg.enable {
     programs.tmux = {
       enable = true;
-      # shell = getExe (if macos then pkgs.zsh else pkgs.fish);
+      shell = getExe (if macos then pkgs.zsh else pkgs.fish);
       # shell = if macos then "/bin/zsh" else (getExe pkgs.fish);
-      shell = getExe pkgs.fish;
+      # shell = getExe pkgs.fish;
       mouse = true;
       baseIndex = 1;
       terminal = "screen-256color";

hosts/little-lightning/configuration.nix

@@ -1,4 +1,8 @@
 { pkgs, lib, self, ... }: {
+  imports = [
+    ./darwin-modules/pam.nix
+  ];
+
   # List packages installed in system profile. To search by name, run:
   # $ nix-env -qaP | grep wget
   environment.systemPackages = [ ];
@@ -56,6 +60,7 @@
   ];
 
   security.pam.enableSudoTouchIdAuth = true;
+  security.pam.enableSudoTouchIdReattach = true;
 
   users.users.zynh = {
     name = "zynh";

hosts/little-lightning/darwin-modules/pam.nix

@@ -0,0 +1,114 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.security.pam;
+
+  # Implementation Notes
+  #
+  # We don't use `environment.etc` because this would require that the user manually delete
+  # `/etc/pam.d/sudo` which seems unwise given that applying the nix-darwin configuration requires
+  # sudo. We also can't use `system.patchs` since it only runs once, and so won't patch in the
+  # changes again after OS updates (which remove modifications to this file).
+  #
+  # As such, we resort to line addition/deletion in place using `sed`. We add a comment to the
+  # added line that includes the name of the option, to make it easier to identify the line that
+  # should be deleted when the option is disabled.
+  sudoTouchIdAuthScript =
+    let
+      isEnabled = cfg.enableSudoTouchIdAuth;
+      file = "/etc/pam.d/sudo";
+      option = "security.pam.enableSudoTouchIdAuth";
+      sed = "${pkgs.gnused}/bin/sed";
+    in
+    ''
+      ${if isEnabled then ''
+        # Enable sudo Touch ID authentication, if not already enabled
+        if ! grep 'pam_tid.so' ${file} > /dev/null; then
+          ${sed} -i '2i\
+        auth       sufficient     pam_tid.so # nix-darwin: ${option}
+          ' ${file}
+        fi
+      '' else ''
+        # Disable sudo Touch ID authentication, if added by nix-darwin
+        if grep '${option}' ${file} > /dev/null; then
+          ${sed} -i '/${option}/d' ${file}
+        fi
+      ''}
+    '';
+
+  sudoTouchIdReattachScript =
+    let
+      isEnabled = cfg.enableSudoTouchIdReattach;
+      file = "/etc/pam.d/sudo";
+      option = "security.pam.enableSudoTouchIdReattach";
+      sed = "${pkgs.gnused}/bin/sed";
+    in
+    ''
+      ${if isEnabled then ''
+        # Enable sudo Touch ID authentication, if not already enabled
+        if ! grep 'pam_tid.so' ${file} > /dev/null; then
+          ${sed} -i '2i\
+        auth       sufficient     /opt/homebrew/lib/pam/pam_reattach.so # nix-darwin: ${option}
+          ' ${file}
+        fi
+      '' else ''
+        # Disable sudo Touch ID authentication, if added by nix-darwin
+        if grep '${option}' ${file} > /dev/null; then
+          ${sed} -i '/${option}/d' ${file}
+        fi
+      ''}
+    '';
+in
+
+{
+  options = {
+    # security.pam.enableSudoTouchIdAuth = lib.mkForce (mkEnableOption "" // {
+    #   description = ''
+    #     Enable sudo authentication with Touch ID.
+    #
+    #     When enabled, this option adds the following line to
+    #     {file}`/etc/pam.d/sudo`:
+    #
+    #     ```
+    #     auth       sufficient     pam_tid.so
+    #     ```
+    #
+    #     ::: {.note}
+    #     macOS resets this file when doing a system update. As such, sudo
+    #     authentication with Touch ID won't work after a system update
+    #     until the nix-darwin configuration is reapplied.
+    #     :::
+    #   '';
+    # });
+
+    security.pam.enableSudoTouchIdReattach = mkEnableOption "" // {
+      description = ''
+        Enable sudo authentication with Touch ID.
+
+        When enabled, this option adds the following line to
+        {file}`/etc/pam.d/sudo`:
+
+        ```
+        auth       sufficient     /opt/homebrew/lib/pam/pam_reattach.so
+        ```
+
+        ::: {.note}
+        macOS resets this file when doing a system update. As such, sudo
+        authentication with Touch ID won't work after a system update
+        until the nix-darwin configuration is reapplied.
+        :::
+      '';
+    };
+  };
+
+  config = {
+    system.activationScripts.pam.text = lib.mkForce ''
+      # PAM settings
+      echo >&2 "setting up pam..."
+      ${sudoTouchIdAuthScript}
+      ${sudoTouchIdReattachScript}
+    '';
+  };
+}

hosts/little-lightning/home.nix

@@ -19,10 +19,24 @@
     direnv.enable = true;
   };
 
-  programs.tmux.extraConfig = ''
+  # nixpkgs.overlays = [
-    set -gu default-command
+  #   (final: prev: {
-    set -g default-shell "$SHELL"
+  #     tmux = prev.tmux.overrideAttrs (old: rec {
-  '';
+  #       version = "3.5";
+  #       src = prev.fetchFromGitHub {
+  #         owner = "tmux";
+  #         repo = "tmux";
+  #         rev = version;
+  #         hash = "sha256-8CRZj7UyBhuB5QO27Y+tHG62S/eGxPOHWrwvh1aBqq0=";
+  #       };
+  #     });
+  #   })
+  # ];
+
+  # programs.tmux.extraConfig = ''
+  #   set -gu default-command
+  #   set -g default-shell "$SHELL"
+  # '';
 
   programs.alacritty.settings = {
     font.size = lib.mkForce 16.0;