From 6e8bc5e7408e2c5f62871d63d409ba527e84ca57 Mon Sep 17 00:00:00 2001
From: Malo Bourgon <mbourgon@gmail.com>
Date: Mon, 5 Oct 2020 10:46:20 -0700
Subject: [PATCH] Use sed to disable sudo touch ID authentication

---
 modules/security/pam.nix | 44 ++++++++++++++++++++++++++++------------
 1 file changed, 31 insertions(+), 13 deletions(-)

diff --git a/modules/security/pam.nix b/modules/security/pam.nix
index 4137b3fe..424e674f 100644
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@@ -4,6 +4,36 @@ with lib;
 
 let
   cfg = config.security.pam;
+
+  # Implementation Notes
+  #
+  # We don't use `environment.etc` because this would require that the user manually delete
+  # `/etc/pam.d/sudo` which seems unwise given that applying the nix-darwin configuration requires
+  # sudo. We also can't use `system.patchs` since it only runs once, and so won't patch in the
+  # changes again after OS updates (which remove modifications to this file).
+  #
+  # As such, we resort to line addition/deletion in place using `sed`. We add a comment to the
+  # added line that includes the name of the option, to make it easier to identify the line that
+  # should be deleted when the option is disabled.
+  mkSudoTouchIdAuthScript = isEnabled:
+  let
+    file   = "/etc/pam.d/sudo";
+    option = "security.pam.enableSudoTouchIdAuth";
+  in ''
+    ${if isEnabled then ''
+      # Enable sudo Touch ID authentication, if not already enabled
+      if ! grep 'pam_tid.so' ${file} > /dev/null; then
+        sed -i "" '2i\
+        auth       sufficient     pam_tid.so # nix-darwin: ${option}
+        ' ${file}
+      fi
+    '' else ''
+      # Disable sudo Touch ID authentication, if added by nix-darwin
+      if grep '${option}' ${file} > /dev/null; then
+        sed -i "" '/${option}/d' ${file}
+      fi
+    ''}
+  '';
 in
 
 {
@@ -25,19 +55,7 @@ in
     system.activationScripts.pam.text = ''
       # PAM settings
       echo >&2 "setting up pam..."
-      ${if cfg.enableSudoTouchIdAuth then ''
-        # Enable sudo Touch ID authentication
-        if ! grep pam_tid.so /etc/pam.d/sudo > /dev/null; then
-          sed -i.orig '2i\
-          auth       sufficient     pam_tid.so
-          ' /etc/pam.d/sudo
-        fi
-      '' else ''
-        # Disable sudo Touch ID authentication
-        if test -e /etc/pam.d/sudo.orig; then
-          mv /etc/pam.d/sudo.orig /etc/pam.d/sudo
-        fi
-      ''}
+      ${mkSudoTouchIdAuthScript cfg.enableSudoTouchIdAuth}
     '';
   };
 }