home/modules/darwin/security/pam-reattach.nix

{ config
, lib
, pkgs
, ...
}:

with lib;

let
  cfg = config.security.pam;

  mkPamReattachScript =
    isEnabled:
    let
      file = "/etc/pam.d/sudo";
      option = "security.pam.reattach";
      sed = "${pkgs.gnused}/bin/sed";
    in
    ''
      ${
        if isEnabled then
          ''
            # If enable and in file, remove and re-add in case the store path has
            # changed
            if grep '${option}' ${file} > /dev/null; then
              ${sed} -i '/${option}/d' ${file}
            fi

            ${sed} -i '2i\
            auth       optional       ${pkgs.pam-reattach}/lib/pam/pam_reattach.so ignore_ssh # nix-darwin: ${option}
            ' ${file}
          ''
        else
          ''
            # Disable pam_reattach, if added by nix-darwin
            if grep '${option}' ${file} > /dev/null; then
              ${sed} -i '/${option}/d' ${file}
            fi
          ''
      }
    '';
in

{
  options = {
    security.pam.enablePamReattach = mkEnableOption "" // {
      description = lib.mdDoc ''
        Enable pam_reattach sudo authentication with Touch ID in tmux/screen.

        When enabled, this option adds the following line to
        {file}`/etc/pam.d/sudo`:

        ```
        auth       optional     pam_reattach.so ignore_ssh
        ```

        ::: {.note}
        macOS resets this file when doing a system update. As such,
        pam_reattach won't work after a system update
        until the nix-darwin configuration is reapplied.
        :::
      '';
    };
  };

  config = {
    environment.systemPackages = mkIf cfg.enablePamReattach [ pkgs.pam-reattach ];

    system.activationScripts.pam.text = ''
      # PAM settings
      echo >&2 "setting up pam..."
      ${mkPamReattachScript cfg.enablePamReattach}
    '';
  };
}