Add option to enable sudo authentication with TouchID

author: Malo Bourgon <mbourgon@gmail.com> 2020-09-11 12:14:44 -0700
committer: Malo Bourgon <mbourgon@gmail.com> 2022-06-30 13:31:42 -0700
commit: 1d98da837f1e94c04209bce901d5b664b3cd0ec5 (patch)
tree: 9a32a31d1eb4ac7893e34a3837bb166525b90561 /modules/system
parent: 2f2bdf658d2b79bada78dc914af99c53cad37cba (diff)
2 files changed, 23 insertions, 0 deletions
diff --git a/modules/system/etc-pam.d-sudo.patch b/modules/system/etc-pam.d-sudo.patch
new file mode 100644
index 0000000..fa361b4
--- /dev/null
+++ b/modules/system/etc-pam.d-sudo.patch
@@ -0,0 +1,8 @@
+--- /etc/pam.d/sudo
++++ /etc/pam.d/sudo
+@@ -1,4 +1,5 @@
+ # sudo: auth account password session
++auth       sufficient     pam_tid.so
+ auth       sufficient     pam_smartcard.so
+ auth       required       pam_opendirectory.so
+ account    required       pam_permit.so
diff --git a/modules/system/sudo.nix b/modules/system/sudo.nix
new file mode 100644
index 0000000..d4112ed
--- /dev/null
+++ b/modules/system/sudo.nix
@@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.system.sudo;
+in
+
+{
+  options = {
+    system.sudo.touchid.enable = mkEnableOption "Enable sudo authentication with Touch ID";
+  };
+
+  config = mkIf cfg.touchid.enable { system.patches = [ ./etc-pam.d-sudo.patch ]; };
+}
author	Malo Bourgon <mbourgon@gmail.com>	2020-09-11 12:14:44 -0700
committer	Malo Bourgon <mbourgon@gmail.com>	2022-06-30 13:31:42 -0700
commit	1d98da837f1e94c04209bce901d5b664b3cd0ec5 (patch)
tree	9a32a31d1eb4ac7893e34a3837bb166525b90561 /modules/system
parent	2f2bdf658d2b79bada78dc914af99c53cad37cba (diff)