little-lightning: maybe pam another time

2024-11-24 14:41:14 -08:00 · 2024-11-24 14:41:14 -08:00 · d4cd494b5e
commit d4cd494b5e
parent c2869eb6aa
1 changed files with 0 additions and 114 deletions
--- a/hosts/little-lightning/darwin-modules/pam.nix
+++ b/hosts/little-lightning/darwin-modules/pam.nix
@ -1,114 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.security.pam;
-
-  # Implementation Notes
-  #
-  # We don't use `environment.etc` because this would require that the user manually delete
-  # `/etc/pam.d/sudo` which seems unwise given that applying the nix-darwin configuration requires
-  # sudo. We also can't use `system.patchs` since it only runs once, and so won't patch in the
-  # changes again after OS updates (which remove modifications to this file).
-  #
-  # As such, we resort to line addition/deletion in place using `sed`. We add a comment to the
-  # added line that includes the name of the option, to make it easier to identify the line that
-  # should be deleted when the option is disabled.
-  sudoTouchIdAuthScript =
-    let
-      isEnabled = cfg.enableSudoTouchIdAuth;
-      file = "/etc/pam.d/sudo";
-      option = "security.pam.enableSudoTouchIdAuth";
-      sed = "${pkgs.gnused}/bin/sed";
-    in
-    ''
-      ${if isEnabled then ''
-        # Enable sudo Touch ID authentication, if not already enabled
-        if ! grep 'pam_tid.so' ${file} > /dev/null; then
-          ${sed} -i '2i\
-        auth       sufficient     pam_tid.so # nix-darwin: ${option}
-          ' ${file}
-        fi
-      '' else ''
-        # Disable sudo Touch ID authentication, if added by nix-darwin
-        if grep '${option}' ${file} > /dev/null; then
-          ${sed} -i '/${option}/d' ${file}
-        fi
-      ''}
-    '';
-
-  sudoTouchIdReattachScript =
-    let
-      isEnabled = cfg.enableSudoTouchIdReattach;
-      file = "/etc/pam.d/sudo";
-      option = "security.pam.enableSudoTouchIdReattach";
-      sed = "${pkgs.gnused}/bin/sed";
-    in
-    ''
-      ${if isEnabled then ''
-        # Enable sudo Touch ID authentication, if not already enabled
-        if ! grep 'pam_tid.so' ${file} > /dev/null; then
-          ${sed} -i '2i\
-        auth       sufficient     /opt/homebrew/lib/pam/pam_reattach.so # nix-darwin: ${option}
-          ' ${file}
-        fi
-      '' else ''
-        # Disable sudo Touch ID authentication, if added by nix-darwin
-        if grep '${option}' ${file} > /dev/null; then
-          ${sed} -i '/${option}/d' ${file}
-        fi
-      ''}
-    '';
-in
-
-{
-  options = {
-    # security.pam.enableSudoTouchIdAuth = lib.mkForce (mkEnableOption "" // {
-    #   description = ''
-    #     Enable sudo authentication with Touch ID.
-    #
-    #     When enabled, this option adds the following line to
-    #     {file}`/etc/pam.d/sudo`:
-    #
-    #     ```
-    #     auth       sufficient     pam_tid.so
-    #     ```
-    #
-    #     ::: {.note}
-    #     macOS resets this file when doing a system update. As such, sudo
-    #     authentication with Touch ID won't work after a system update
-    #     until the nix-darwin configuration is reapplied.
-    #     :::
-    #   '';
-    # });
-
-    security.pam.enableSudoTouchIdReattach = mkEnableOption "" // {
-      description = ''
-        Enable sudo authentication with Touch ID.
-
-        When enabled, this option adds the following line to
-        {file}`/etc/pam.d/sudo`:
-
-        ```
-        auth       sufficient     /opt/homebrew/lib/pam/pam_reattach.so
-        ```
-
-        ::: {.note}
-        macOS resets this file when doing a system update. As such, sudo
-        authentication with Touch ID won't work after a system update
-        until the nix-darwin configuration is reapplied.
-        :::
-      '';
-    };
-  };
-
-  config = {
-    system.activationScripts.pam.text = lib.mkForce ''
-      # PAM settings
-      echo >&2 "setting up pam..."
-      ${sudoTouchIdAuthScript}
-      ${sudoTouchIdReattachScript}
-    '';
-  };
-}