nixos/hosts/little-lightning/darwin-modules/pam.nix

114 lines
3.5 KiB
Nix

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.security.pam;
# Implementation Notes
#
# We don't use `environment.etc` because this would require that the user manually delete
# `/etc/pam.d/sudo` which seems unwise given that applying the nix-darwin configuration requires
# sudo. We also can't use `system.patchs` since it only runs once, and so won't patch in the
# changes again after OS updates (which remove modifications to this file).
#
# As such, we resort to line addition/deletion in place using `sed`. We add a comment to the
# added line that includes the name of the option, to make it easier to identify the line that
# should be deleted when the option is disabled.
sudoTouchIdAuthScript =
let
isEnabled = cfg.enableSudoTouchIdAuth;
file = "/etc/pam.d/sudo";
option = "security.pam.enableSudoTouchIdAuth";
sed = "${pkgs.gnused}/bin/sed";
in
''
${if isEnabled then ''
# Enable sudo Touch ID authentication, if not already enabled
if ! grep 'pam_tid.so' ${file} > /dev/null; then
${sed} -i '2i\
auth sufficient pam_tid.so # nix-darwin: ${option}
' ${file}
fi
'' else ''
# Disable sudo Touch ID authentication, if added by nix-darwin
if grep '${option}' ${file} > /dev/null; then
${sed} -i '/${option}/d' ${file}
fi
''}
'';
sudoTouchIdReattachScript =
let
isEnabled = cfg.enableSudoTouchIdReattach;
file = "/etc/pam.d/sudo";
option = "security.pam.enableSudoTouchIdReattach";
sed = "${pkgs.gnused}/bin/sed";
in
''
${if isEnabled then ''
# Enable sudo Touch ID authentication, if not already enabled
if ! grep 'pam_tid.so' ${file} > /dev/null; then
${sed} -i '2i\
auth sufficient /opt/homebrew/lib/pam/pam_reattach.so # nix-darwin: ${option}
' ${file}
fi
'' else ''
# Disable sudo Touch ID authentication, if added by nix-darwin
if grep '${option}' ${file} > /dev/null; then
${sed} -i '/${option}/d' ${file}
fi
''}
'';
in
{
options = {
# security.pam.enableSudoTouchIdAuth = lib.mkForce (mkEnableOption "" // {
# description = ''
# Enable sudo authentication with Touch ID.
#
# When enabled, this option adds the following line to
# {file}`/etc/pam.d/sudo`:
#
# ```
# auth sufficient pam_tid.so
# ```
#
# ::: {.note}
# macOS resets this file when doing a system update. As such, sudo
# authentication with Touch ID won't work after a system update
# until the nix-darwin configuration is reapplied.
# :::
# '';
# });
security.pam.enableSudoTouchIdReattach = mkEnableOption "" // {
description = ''
Enable sudo authentication with Touch ID.
When enabled, this option adds the following line to
{file}`/etc/pam.d/sudo`:
```
auth sufficient /opt/homebrew/lib/pam/pam_reattach.so
```
::: {.note}
macOS resets this file when doing a system update. As such, sudo
authentication with Touch ID won't work after a system update
until the nix-darwin configuration is reapplied.
:::
'';
};
};
config = {
system.activationScripts.pam.text = lib.mkForce ''
# PAM settings
echo >&2 "setting up pam..."
${sudoTouchIdAuthScript}
${sudoTouchIdReattachScript}
'';
};
}