dunkirk.sh / dots
Kieran's opinionated (and probably slightly dumb) nix config
fork atom

feat: add password prefered pam config

Kieran Klukas 53ff5c67 7b95a1d6

options
unified split
Changed files
+70 -3
moonlark
configuration.nix
pam.nix
+2 -3
moonlark/configuration.nix 
···

       
24

       
24

       
 

       
    


     

       
25

       
25

       
 

       
    # hpyrland config


     

       
26

       
26

       
 

       
    # ./hyprland


     

       

       
27

       
+

       



     

       

       
28

       
+

       
    ./pam.nix


     

       
27

       
29

       
 

       
  ];


     

       
28

       
30

       
 

       
	


     

       
29

       
31

       
 

       
  nixpkgs = {


     
···

       
94

       
96

       
 

       
      })


     

       
95

       
97

       
 

       
    pkgs.github-desktop


     

       
96

       
98

       
 

       
  ];


     

       
97

       

       
-

       



     

       
98

       

       
-

       
  services.fprintd.enable = true;


     

       
99

       

       
-

       
  security.pam.services.hyprlock.fprintAuth = true;


     

       
100

       
99

       
 

       



     

       
101

       
100

       
 

       
  services.gnome.gnome-keyring.enable = true;


     

       
102

       
101
+68
moonlark/pam.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
    lib,


     

       

       
3

       
+

       
    config,


     

       

       
4

       
+

       
    pkgs,


     

       

       
5

       
+

       
    ...


     

       

       
6

       
+

       
}: {


     

       

       
7

       
+

       
    services.fprintd.enable = true;


     

       

       
8

       
+

       
    security.pam.services.hyprlock = lib.mkIf (config.services.fprintd.enable) {


     

       

       
9

       
+

       
        text = ''


     

       

       
10

       
+

       
            # Account management.


     

       

       
11

       
+

       
            account required pam_unix.so # unix (order 10900)


     

       

       
12

       
+

       



     

       

       
13

       
+

       
            # Authentication management.


     

       

       
14

       
+

       
            auth sufficient pam_unix.so try_first_pass likeauth nullok


     

       

       
15

       
+

       
            auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so


     

       

       
16

       
+

       
            auth required pam_deny.so # deny


     

       

       
17

       
+

       



     

       

       
18

       
+

       
            # Password management.


     

       

       
19

       
+

       
            password sufficient pam_unix.so nullok yescrypt # unix


     

       

       
20

       
+

       
            


     

       

       
21

       
+

       
            # Session management.


     

       

       
22

       
+

       
            session required pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)


     

       

       
23

       
+

       
            session required pam_unix.so # unix (order 10200)


     

       

       
24

       
+

       
        '';


     

       

       
25

       
+

       
    };


     

       

       
26

       
+

       



     

       

       
27

       
+

       
    security.pam.services.sudo = lib.mkIf (config.services.fprintd.enable) {


     

       

       
28

       
+

       
        text = ''


     

       

       
29

       
+

       
            # Account management.


     

       

       
30

       
+

       
            account required pam_unix.so # unix (order 10900)


     

       

       
31

       
+

       



     

       

       
32

       
+

       
            # Authentication management.


     

       

       
33

       
+

       
            auth sufficient pam_unix.so try_first_pass likeauth nullok


     

       

       
34

       
+

       
            auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so


     

       

       
35

       
+

       
            auth required pam_deny.so # deny


     

       

       
36

       
+

       



     

       

       
37

       
+

       
            # Password management.


     

       

       
38

       
+

       
            password sufficient pam_unix.so nullok yescrypt # unix


     

       

       
39

       
+

       
            


     

       

       
40

       
+

       
            # Session management.


     

       

       
41

       
+

       
            session required pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)


     

       

       
42

       
+

       
            session required pam_unix.so # unix (order 10200)


     

       

       
43

       
+

       
        '';


     

       

       
44

       
+

       
    };


     

       

       
45

       
+

       



     

       

       
46

       
+

       
    security.pam.services.su = lib.mkIf (config.services.fprintd.enable) {


     

       

       
47

       
+

       
        text = ''


     

       

       
48

       
+

       
            # Account management.


     

       

       
49

       
+

       
            account required pam_unix.so # unix (order 10900)


     

       

       
50

       
+

       



     

       

       
51

       
+

       
            # Authentication management.


     

       

       
52

       
+

       
            auth sufficient pam_rootok.so # rootok (order 10200)


     

       

       
53

       
+

       
            auth required pam_faillock.so # faillock (order 10400)


     

       

       
54

       
+

       
            auth sufficient pam_unix.so try_first_pass likeauth nullok


     

       

       
55

       
+

       
            auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so


     

       

       
56

       
+

       
            auth required pam_deny.so # deny


     

       

       
57

       
+

       



     

       

       
58

       
+

       
            # Password management.


     

       

       
59

       
+

       
            password sufficient pam_unix.so nullok yescrypt # unix


     

       

       
60

       
+

       
            


     

       

       
61

       
+

       
            # Session management.


     

       

       
62

       
+

       
            session required pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)


     

       

       
63

       
+

       
            session required pam_unix.so # unix (order 10200)


     

       

       
64

       
+

       
            session required pam_unix.so # unix (order 10200)


     

       

       
65

       
+

       
            session optional pam_xauth.so systemuser=99 xauthpath=${pkgs.xorg.xauth}/bin/xauth # xauth (order 12100)


     

       

       
66

       
+

       
        '';


     

       

       
67

       
+

       
    };


     

       

       
68

       
+

       
}