.github
.vscode
docs
hydra
keys
lib
modules
autopull.nix
base.nix
boot.nix
docker.nix
endlessh.nix
fail2ban.nix
generators.nix
kub_net.nix
libs.nix
locale.nix
nix.nix
openssh.nix
pam-fingerprint-swap.nix
plocate.nix
programs.nix
update.nix
yubikey.nix
pkgs
systems
users
utils
.envrc
.gitconfig
.gitignore
.sops.yaml
CONTRIBUTING.md
README.md
checks.nix
flake.lock
flake.nix
shell.nix
statix.toml
treefmt.toml
61 lines
2.4 KiB
Nix
61 lines
2.4 KiB
Nix
{ config, lib, ... }:
|
|
|
|
# borrowed from https://github.com/NixOS/nixpkgs/issues/171136
|
|
# and https://wiki.archlinux.org/title/fprint#Login_configuration
|
|
# and also this internal/experimental feature:
|
|
# https://github.com/NixOS/nixpkgs/pull/255547
|
|
#
|
|
# This should allow fprintd to go after pam_unix (so it asks for your password first!)
|
|
let
|
|
cfg = config.security.pam.fprintd-order;
|
|
in
|
|
{
|
|
options = {
|
|
security.pam.fprintd-order = {
|
|
enable = lib.mkEnableOption "fprintd-order";
|
|
order = lib.mkOption {
|
|
type = lib.types.int;
|
|
default = 11501;
|
|
description = ''
|
|
the ordering for fprintd used in pam.d service files.
|
|
11300 is the current default as of 2024-04-02 (subject to change with auto-ordering rules)
|
|
11501 places it just after pam_unix (ie. password prompt, then fingerprint)
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
|
|
# to generate this its going to look something like this
|
|
# rg "fprintd" --follow /etc/pam.d | sed -nr 's/\/etc\/pam.d\/(\w+)/\1/p' | cut -d ':' -f 1 | awk '{printf "security.pam.services.%s.rules.auth.fprintd.order=11501;\n",$1}'
|
|
|
|
# need to check if this one is needed... file doesnt exist when this module is disabled
|
|
#security.pam.services.auth.rules.auth.fprintd.order = cfg.order;
|
|
security.pam.services = {
|
|
passwd.rules.auth.fprintd.order = cfg.order;
|
|
chpasswd.rules.auth.fprintd.order = cfg.order;
|
|
groupdel.rules.auth.fprintd.order = cfg.order;
|
|
groupadd.rules.auth.fprintd.order = cfg.order;
|
|
useradd.rules.auth.fprintd.order = cfg.order;
|
|
i3lock.rules.auth.fprintd.order = cfg.order;
|
|
systemd-user.rules.auth.fprintd.order = cfg.order;
|
|
sudo.rules.auth.fprintd.order = cfg.order;
|
|
userdel.rules.auth.fprintd.order = cfg.order;
|
|
chfn.rules.auth.fprintd.order = cfg.order;
|
|
su.rules.auth.fprintd.order = cfg.order;
|
|
usermod.rules.auth.fprintd.order = cfg.order;
|
|
groupmems.rules.auth.fprintd.order = cfg.order;
|
|
chsh.rules.auth.fprintd.order = cfg.order;
|
|
i3lock-color.rules.auth.fprintd.order = cfg.order;
|
|
xscreensaver.rules.auth.fprintd.order = cfg.order;
|
|
xlock.rules.auth.fprintd.order = cfg.order;
|
|
polkit-1.rules.auth.fprintd.order = cfg.order;
|
|
vlock.rules.auth.fprintd.order = cfg.order;
|
|
runuser-l.rules.auth.fprintd.order = cfg.order;
|
|
groupmod.rules.auth.fprintd.order = cfg.order;
|
|
runuser.rules.auth.fprintd.order = cfg.order;
|
|
};
|
|
};
|
|
}
|