From ca57e8bcdbf1c50846cf37abac8b18f8d0636160 Mon Sep 17 00:00:00 2001
From: Malo Bourgon <mbourgon@gmail.com>
Date: Mon, 14 Sep 2020 13:34:30 -0700
Subject: Change option name and switch to using activation script

---
 modules/security/pam.nix | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 modules/security/pam.nix

(limited to 'modules/security')

diff --git a/modules/security/pam.nix b/modules/security/pam.nix
new file mode 100644
index 0000000..4137b3f
--- /dev/null
+++ b/modules/security/pam.nix
@@ -0,0 +1,43 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.security.pam;
+in
+
+{
+  options = {
+    security.pam.enableSudoTouchIdAuth = mkEnableOption ''
+      Enable sudo authentication with Touch ID
+
+      When enabled, this option adds the following line to /etc/pam.d/sudo:
+
+          auth       sufficient     pam_tid.so
+
+      (Note that macOS resets this file when doing a system update. As such, sudo
+      authentication with Touch ID won't work after a system update until the nix-darwin
+      configuration is reapplied.)
+    '';
+  };
+
+  config = {
+    system.activationScripts.pam.text = ''
+      # PAM settings
+      echo >&2 "setting up pam..."
+      ${if cfg.enableSudoTouchIdAuth then ''
+        # Enable sudo Touch ID authentication
+        if ! grep pam_tid.so /etc/pam.d/sudo > /dev/null; then
+          sed -i.orig '2i\
+          auth       sufficient     pam_tid.so
+          ' /etc/pam.d/sudo
+        fi
+      '' else ''
+        # Disable sudo Touch ID authentication
+        if test -e /etc/pam.d/sudo.orig; then
+          mv /etc/pam.d/sudo.orig /etc/pam.d/sudo
+        fi
+      ''}
+    '';
+  };
+}
-- 
cgit v1.2.3