moonlark/pam.nix at hyprnix · dunkirk.sh/dots

dunkirk.sh / dots
Kieran's opinionated (and probably slightly dumb) nix config
dots / moonlark / pam.nix
at hyprnix 2.7 kB view raw
 1{
 2    lib,
 3    config,
 4    pkgs,
 5    ...
 6}: {
 7    services.fprintd.enable = true;
 8    security.pam.services.hyprlock = lib.mkIf (config.services.fprintd.enable) {
 9        text = ''
10            # Account management.
11            account required pam_unix.so # unix (order 10900)
12
13            # Authentication management.
14            auth sufficient pam_unix.so try_first_pass likeauth nullok
15            auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so
16            auth required pam_deny.so # deny
17
18            # Password management.
19            password sufficient pam_unix.so nullok yescrypt # unix
20            
21            # Session management.
22            session required pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)
23            session required pam_unix.so # unix (order 10200)
24        '';
25    };
26
27    security.pam.services.sudo = lib.mkIf (config.services.fprintd.enable) {
28        text = ''
29            # Account management.
30            account required pam_unix.so # unix (order 10900)
31
32            # Authentication management.
33            auth sufficient pam_unix.so try_first_pass likeauth nullok
34            auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so
35            auth required pam_deny.so # deny
36
37            # Password management.
38            password sufficient pam_unix.so nullok yescrypt # unix
39            
40            # Session management.
41            session required pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)
42            session required pam_unix.so # unix (order 10200)
43        '';
44    };
45
46    security.pam.services.su = lib.mkIf (config.services.fprintd.enable) {
47        text = ''
48            # Account management.
49            account required pam_unix.so # unix (order 10900)
50
51            # Authentication management.
52            auth sufficient pam_rootok.so # rootok (order 10200)
53            auth required pam_faillock.so # faillock (order 10400)
54            auth sufficient pam_unix.so try_first_pass likeauth nullok
55            auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so
56            auth required pam_deny.so # deny
57
58            # Password management.
59            password sufficient pam_unix.so nullok yescrypt # unix
60            
61            # Session management.
62            session required pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)
63            session required pam_unix.so # unix (order 10200)
64            session required pam_unix.so # unix (order 10200)
65            session optional pam_xauth.so systemuser=99 xauthpath=${pkgs.xorg.xauth}/bin/xauth # xauth (order 12100)
66        '';
67    };
68}