Add option to enable sudo authentication with TouchID

modules/module-list.nix

@@ -29,6 +29,7 @@
   ./system/launchd.nix
   ./system/patches.nix
   ./system/shells.nix
+  ./system/sudo.nix
   ./system/version.nix
   ./time
   ./networking

modules/system/etc-pam.d-sudo.patch

@@ -0,0 +1,8 @@
+--- /etc/pam.d/sudo
++++ /etc/pam.d/sudo
+@@ -1,4 +1,5 @@
+ # sudo: auth account password session
++auth       sufficient     pam_tid.so
+ auth       sufficient     pam_smartcard.so
+ auth       required       pam_opendirectory.so
+ account    required       pam_permit.so

modules/system/sudo.nix

@@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.system.sudo;
+in
+
+{
+  options = {
+    system.sudo.touchid.enable = mkEnableOption "Enable sudo authentication with Touch ID";
+  };
+
+  config = mkIf cfg.touchid.enable { system.patches = [ ./etc-pam.d-sudo.patch ]; };
+}