Make PR suggested changes

2025-03-13 20:30:02 +00:00 · 2024-11-29 16:29:51 -08:00 · 2024-11-29 16:29:51 -08:00 · 49bdb77fac
commit 49bdb77fac
parent 83e5c8febd
1 changed files with 39 additions and 38 deletions
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@ -4,39 +4,6 @@ with lib;

 let
  cfg = config.security.pam;
-
-  # Implementation Notes
-  #
-  # Uses `environment.etc` to create the `/etc/pam.d/sudo_local` file that will be used
-  # to manage all things pam related for nix-darwin. An activation script will run to check
-  # for the existance of the line `auth       include        sudo_local`. This is included
-  # in macOS Sonoma and later. If the line is not there already then `sed` will add it.
-  # In those cases, the line will include the name of the option root (`security.pam`),
-  # to make it easier to identify the line that should be deleted when the option is disabled.
-  mkIncludeSudoLocalScript = isEnabled:
-  let
-    file = "/etc/pam.d/sudo";
-    option = "security.pam";
-    deprecatedOption = "security.pam.enableSudoTouchIdAuth";
-    sed = "${pkgs.gnused}/bin/sed";
-  in ''
-    ${if isEnabled then ''
-      # NOTE: this can be removed at some point when support for older versions are dropped
-      # Always clear out older implementation if it exists
-      if grep '${deprecatedOption}' ${file} > /dev/null; then
-        ${sed} -i '/${option}/d' ${file}
-      fi
-      # Check if include line is needed (macOS < 14)
-      if ! grep 'sudo_local' ${file} > /dev/null; then
-        ${sed} -i '2iauth       include        sudo_local # nix-darwin: ${option}' ${file}
-      fi
-    '' else ''
-      # Remove include line if we added it
-      if grep '${option}' ${file} > /dev/null; then
-        ${sed} -i '/${option}/d' ${file}
-      fi
-    ''}
-  '';
 in
 {
  options = {
@ -68,19 +35,53 @@ in
  config =
  let
    isPamEnabled = (cfg.enableSudoTouchIdAuth || cfg.enablePamReattach);
+
+    # Implementation Notes
+    #
+    # Uses `environment.etc` to create the `/etc/pam.d/sudo_local` file that will be used
+    # to manage all things pam related for nix-darwin. An activation script will run to check
+    # for the existance of the line `auth       include        sudo_local`. This is included
+    # in macOS Sonoma and later. If the line is not there already then `sed` will add it.
+    # In those cases, the line will include the marker (`security.pam.sudo_local`),
+    # to make it easier to identify the line that should be deleted when the option is disabled.
+    # Upgrading to Sonoma from a previous version should see the `/etc/pam.d/sudo` file
+    # replaced with one containing the `auth        include        sudo_local` line, but
+    # it will not include the marker because this line's inclusion is now managed by Apple.
  in
  {
    environment.etc."pam.d/sudo_local" = {
      enable = isPamEnabled;
-      text = lib.strings.concatStringsSep "\n" [
-        (lib.optionalString cfg.enablePamReattach "auth       optional       ${pkgs.pam-reattach}/lib/pam/pam_reattach.so")
-        (lib.optionalString cfg.enableSudoTouchIdAuth "auth       sufficient     pam_tid.so")
+      text = lib.concatLines [
+        (lib.mkIf cfg.enablePamReattach "auth       optional       ${pkgs.pam-reattach}/lib/pam/pam_reattach.so")
+        (lib.mkIf cfg.enableSudoTouchIdAuth "auth       sufficient     pam_tid.so")
      ];
    };
-    system.activationScripts.pam.text = ''
+    system.activationScripts.pam.text =
+    let
+      file = "/etc/pam.d/sudo";
+      marker = "security.pam";
+      deprecatedOption = "security.pam.enableSudoTouchIdAuth";
+      sed = "${pkgs.gnused}/bin/sed";
+    in
+    ''
      # PAM settings
      echo >&2 "setting up pam..."
-      ${mkIncludeSudoLocalScript isPamEnabled}
+      ${if isPamEnabled then ''
+        # REMOVEME when macOS 13 no longer supported
+        # Always clear out older implementation if it exists
+        if grep '${deprecatedOption}' ${file} > /dev/null; then
+          ${sed} -i '/${deprecatedOption}/d' ${file}
+        fi
+        # Check if include line is needed (macOS < 14)
+        if ! grep 'sudo_local' ${file} > /dev/null; then
+          ${sed} -i '2iauth       include        sudo_local # nix-darwin: ${marker}' ${file}
+        fi
+      '' else ''
+        # Remove include line if we added it
+        if grep '${marker}' ${file} > /dev/null; then
+          ${sed} -i '/${marker}/d' ${file}
+        fi
+      ''}
    '';
  };
 }