From 3ca5051fc9da2406ce3f748d0de78fb643612398 Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Tue, 2 Apr 2024 19:16:42 -0400 Subject: [PATCH] move fingerprint settings to a module Signed-off-by: ahuston-0 --- modules/pam-fingerprint-swap.nix | 64 +++++++++++++++++++ .../alice/systems/artemision/fingerprint.nix | 39 ++--------- 2 files changed, 70 insertions(+), 33 deletions(-) create mode 100644 modules/pam-fingerprint-swap.nix diff --git a/modules/pam-fingerprint-swap.nix b/modules/pam-fingerprint-swap.nix new file mode 100644 index 0000000..c7557d6 --- /dev/null +++ b/modules/pam-fingerprint-swap.nix @@ -0,0 +1,64 @@ +{ + config, + lib, + pkgs, + ... +}: + +# borrowed from https://github.com/NixOS/nixpkgs/issues/171136 +# and https://wiki.archlinux.org/title/fprint#Login_configuration +# and also this internal/experimental feature: +# https://github.com/NixOS/nixpkgs/pull/255547 +# +# This should allow fprintd to go after pam_unix (so it asks for your password first!) +let + cfg = config.security.pam.fprintd-order; +in +{ + options = { + security.pam.fprintd-order = { + enable = lib.mkEnableOption "fprintd-order"; + order = lib.mkOption { + type = lib.types.int; + default = 11501; + description = '' + the ordering for fprintd used in pam.d service files. + 11300 is the current default as of 2024-04-02 (subject to change with auto-ordering rules) + 11501 places it just after pam_unix (ie. password prompt, then fingerprint) + ''; + }; + }; + }; + + config = lib.mkIf (cfg.enable) { + + # to generate this its going to look something like this + # rg "fprintd" --follow /etc/pam.d | sed -nr 's/\/etc\/pam.d\/(\w+)/\1/p' | cut -d ':' -f 1 | awk '{printf "security.pam.services.%s.rules.auth.fprintd.order=11501;\n",$1}' + + # need to check if this one is needed... file doesnt exist when this module is disabled + #security.pam.services.auth.rules.auth.fprintd.order = cfg.order; + + security.pam.services.passwd.rules.auth.fprintd.order = cfg.order; + security.pam.services.chpasswd.rules.auth.fprintd.order = cfg.order; + security.pam.services.groupdel.rules.auth.fprintd.order = cfg.order; + security.pam.services.groupadd.rules.auth.fprintd.order = cfg.order; + security.pam.services.useradd.rules.auth.fprintd.order = cfg.order; + security.pam.services.i3lock.rules.auth.fprintd.order = cfg.order; + security.pam.services.systemd-user.rules.auth.fprintd.order = cfg.order; + security.pam.services.sudo.rules.auth.fprintd.order = cfg.order; + security.pam.services.userdel.rules.auth.fprintd.order = cfg.order; + security.pam.services.chfn.rules.auth.fprintd.order = cfg.order; + security.pam.services.su.rules.auth.fprintd.order = cfg.order; + security.pam.services.usermod.rules.auth.fprintd.order = cfg.order; + security.pam.services.groupmems.rules.auth.fprintd.order = cfg.order; + security.pam.services.chsh.rules.auth.fprintd.order = cfg.order; + security.pam.services.i3lock-color.rules.auth.fprintd.order = cfg.order; + security.pam.services.xscreensaver.rules.auth.fprintd.order = cfg.order; + security.pam.services.xlock.rules.auth.fprintd.order = cfg.order; + security.pam.services.polkit-1.rules.auth.fprintd.order = cfg.order; + security.pam.services.vlock.rules.auth.fprintd.order = cfg.order; + security.pam.services.runuser-l.rules.auth.fprintd.order = cfg.order; + security.pam.services.groupmod.rules.auth.fprintd.order = cfg.order; + security.pam.services.runuser.rules.auth.fprintd.order = cfg.order; + }; +} diff --git a/users/alice/systems/artemision/fingerprint.nix b/users/alice/systems/artemision/fingerprint.nix index 93a771a..4c0eaef 100644 --- a/users/alice/systems/artemision/fingerprint.nix +++ b/users/alice/systems/artemision/fingerprint.nix @@ -4,40 +4,13 @@ pkgs, ... }: - -# borrowed from https://github.com/NixOS/nixpkgs/issues/171136 -# and https://wiki.archlinux.org/title/fprint#Login_configuration -# and also this internal/experimental feature: -# https://github.com/NixOS/nixpkgs/pull/255547 -# -# This should allow fprintd to go after pam_unix (so it asks for your password first!) { - - # to generate this its going to look something like this - # rg "fprintd" --follow /etc/pam.d | sed -nr 's/\/etc\/pam.d\/(\w+)/\1/p' | cut -d ':' -f 1 | awk '{printf "security.pam.services.%s.rules.auth.fprintd.order=11501;\n",$1}' - security.pam.services.passwd.rules.auth.fprintd.order = 11501; - security.pam.services.auth.rules.auth.fprintd.order = 11501; - security.pam.services.chpasswd.rules.auth.fprintd.order = 11501; - security.pam.services.groupdel.rules.auth.fprintd.order = 11501; - security.pam.services.groupadd.rules.auth.fprintd.order = 11501; - security.pam.services.useradd.rules.auth.fprintd.order = 11501; - security.pam.services.i3lock.rules.auth.fprintd.order = 11501; - security.pam.services.systemd-user.rules.auth.fprintd.order = 11501; - security.pam.services.sudo.rules.auth.fprintd.order = 11501; - security.pam.services.userdel.rules.auth.fprintd.order = 11501; - security.pam.services.chfn.rules.auth.fprintd.order = 11501; - security.pam.services.su.rules.auth.fprintd.order = 11501; - security.pam.services.usermod.rules.auth.fprintd.order = 11501; - security.pam.services.groupmems.rules.auth.fprintd.order = 11501; - security.pam.services.chsh.rules.auth.fprintd.order = 11501; - security.pam.services.i3lock-color.rules.auth.fprintd.order = 11501; - security.pam.services.xscreensaver.rules.auth.fprintd.order = 11501; - security.pam.services.xlock.rules.auth.fprintd.order = 11501; - security.pam.services.polkit-1.rules.auth.fprintd.order = 11501; - security.pam.services.vlock.rules.auth.fprintd.order = 11501; - security.pam.services.runuser-l.rules.auth.fprintd.order = 11501; - security.pam.services.groupmod.rules.auth.fprintd.order = 11501; - security.pam.services.runuser.rules.auth.fprintd.order = 11501; + # custom module from modules/pam-fingerprint-swap.nix + # swaps password and fingerprint in pam ordering + security.pam.fprintd-order = { + enable = false; + order = 11501; + }; # to auto-flip to password when the laptop lid is closed (ie. docked) services.acpid = {