114 lines
3.5 KiB
Nix
114 lines
3.5 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.security.pam;
|
|
|
|
# Implementation Notes
|
|
#
|
|
# We don't use `environment.etc` because this would require that the user manually delete
|
|
# `/etc/pam.d/sudo` which seems unwise given that applying the nix-darwin configuration requires
|
|
# sudo. We also can't use `system.patchs` since it only runs once, and so won't patch in the
|
|
# changes again after OS updates (which remove modifications to this file).
|
|
#
|
|
# As such, we resort to line addition/deletion in place using `sed`. We add a comment to the
|
|
# added line that includes the name of the option, to make it easier to identify the line that
|
|
# should be deleted when the option is disabled.
|
|
sudoTouchIdAuthScript =
|
|
let
|
|
isEnabled = cfg.enableSudoTouchIdAuth;
|
|
file = "/etc/pam.d/sudo";
|
|
option = "security.pam.enableSudoTouchIdAuth";
|
|
sed = "${pkgs.gnused}/bin/sed";
|
|
in
|
|
''
|
|
${if isEnabled then ''
|
|
# Enable sudo Touch ID authentication, if not already enabled
|
|
if ! grep 'pam_tid.so' ${file} > /dev/null; then
|
|
${sed} -i '2i\
|
|
auth sufficient pam_tid.so # nix-darwin: ${option}
|
|
' ${file}
|
|
fi
|
|
'' else ''
|
|
# Disable sudo Touch ID authentication, if added by nix-darwin
|
|
if grep '${option}' ${file} > /dev/null; then
|
|
${sed} -i '/${option}/d' ${file}
|
|
fi
|
|
''}
|
|
'';
|
|
|
|
sudoTouchIdReattachScript =
|
|
let
|
|
isEnabled = cfg.enableSudoTouchIdReattach;
|
|
file = "/etc/pam.d/sudo";
|
|
option = "security.pam.enableSudoTouchIdReattach";
|
|
sed = "${pkgs.gnused}/bin/sed";
|
|
in
|
|
''
|
|
${if isEnabled then ''
|
|
# Enable sudo Touch ID authentication, if not already enabled
|
|
if ! grep 'pam_tid.so' ${file} > /dev/null; then
|
|
${sed} -i '2i\
|
|
auth sufficient /opt/homebrew/lib/pam/pam_reattach.so # nix-darwin: ${option}
|
|
' ${file}
|
|
fi
|
|
'' else ''
|
|
# Disable sudo Touch ID authentication, if added by nix-darwin
|
|
if grep '${option}' ${file} > /dev/null; then
|
|
${sed} -i '/${option}/d' ${file}
|
|
fi
|
|
''}
|
|
'';
|
|
in
|
|
|
|
{
|
|
options = {
|
|
# security.pam.enableSudoTouchIdAuth = lib.mkForce (mkEnableOption "" // {
|
|
# description = ''
|
|
# Enable sudo authentication with Touch ID.
|
|
#
|
|
# When enabled, this option adds the following line to
|
|
# {file}`/etc/pam.d/sudo`:
|
|
#
|
|
# ```
|
|
# auth sufficient pam_tid.so
|
|
# ```
|
|
#
|
|
# ::: {.note}
|
|
# macOS resets this file when doing a system update. As such, sudo
|
|
# authentication with Touch ID won't work after a system update
|
|
# until the nix-darwin configuration is reapplied.
|
|
# :::
|
|
# '';
|
|
# });
|
|
|
|
security.pam.enableSudoTouchIdReattach = mkEnableOption "" // {
|
|
description = ''
|
|
Enable sudo authentication with Touch ID.
|
|
|
|
When enabled, this option adds the following line to
|
|
{file}`/etc/pam.d/sudo`:
|
|
|
|
```
|
|
auth sufficient /opt/homebrew/lib/pam/pam_reattach.so
|
|
```
|
|
|
|
::: {.note}
|
|
macOS resets this file when doing a system update. As such, sudo
|
|
authentication with Touch ID won't work after a system update
|
|
until the nix-darwin configuration is reapplied.
|
|
:::
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = {
|
|
system.activationScripts.pam.text = lib.mkForce ''
|
|
# PAM settings
|
|
echo >&2 "setting up pam..."
|
|
${sudoTouchIdAuthScript}
|
|
${sudoTouchIdReattachScript}
|
|
'';
|
|
};
|
|
}
|