| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273 |
- {
- config,
- lib,
- pkgs,
- ...
- }:
- with lib;
- let
- cfg = config.security.pam;
- mkPamReattachScript =
- isEnabled:
- let
- file = "/etc/pam.d/sudo";
- option = "security.pam.reattach";
- sed = "${pkgs.gnused}/bin/sed";
- in
- ''
- ${
- if isEnabled then
- ''
- # If enable and in file, remove and re-add in case the store path has
- # changed
- if grep '${option}' ${file} > /dev/null; then
- ${sed} -i '/${option}/d' ${file}
- fi
- ${sed} -i '2i\
- auth optional ${pkgs.pam-reattach}/lib/pam/pam_reattach.so ignore_ssh # nix-darwin: ${option}
- ' ${file}
- ''
- else
- ''
- # Disable pam_reattach, if added by nix-darwin
- if grep '${option}' ${file} > /dev/null; then
- ${sed} -i '/${option}/d' ${file}
- fi
- ''
- }
- '';
- in
- {
- options = {
- security.pam.enablePamReattach = mkEnableOption "" // {
- description = lib.mdDoc ''
- Enable pam_reattach sudo authentication with Touch ID in tmux/screen.
- When enabled, this option adds the following line to
- {file}`/etc/pam.d/sudo`:
- ```
- auth optional pam_reattach.so ignore_ssh
- ```
- ::: {.note}
- macOS resets this file when doing a system update. As such,
- pam_reattach won't work after a system update
- until the nix-darwin configuration is reapplied.
- :::
- '';
- };
- };
- config = {
- environment.systemPackages = mkIf cfg.enablePamReattach [ pkgs.pam-reattach ];
- system.activationScripts.pam.text = ''
- # PAM settings
- echo >&2 "setting up pam..."
- ${mkPamReattachScript cfg.enablePamReattach}
- '';
- };
- }
|
