mirror of
https://github.com/LnL7/nix-darwin.git
synced 2024-12-14 11:57:34 +00:00
Change option name and switch to using activation script
This commit is contained in:
Malo Bourgon
parent
1d98da837f
commit
ca57e8bcdb
5 changed files with 45 additions and 24 deletions
|
|
@ -2,6 +2,7 @@
|
|||
./alias.nix
|
||||
./documentation
|
||||
./misc/lib.nix
|
||||
./security/pam.nix
|
||||
./security/pki
|
||||
./security/sandbox
|
||||
./system
|
||||
|
|
@ -29,7 +30,6 @@
|
|||
./system/launchd.nix
|
||||
./system/patches.nix
|
||||
./system/shells.nix
|
||||
./system/sudo.nix
|
||||
./system/version.nix
|
||||
./time
|
||||
./networking
|
||||
|
|
|
|||
43
modules/security/pam.nix
Normal file
43
modules/security/pam.nix
Normal file
|
|
@ -0,0 +1,43 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.security.pam;
|
||||
in
|
||||
|
||||
{
|
||||
options = {
|
||||
security.pam.enableSudoTouchIdAuth = mkEnableOption ''
|
||||
Enable sudo authentication with Touch ID
|
||||
|
||||
When enabled, this option adds the following line to /etc/pam.d/sudo:
|
||||
|
||||
auth sufficient pam_tid.so
|
||||
|
||||
(Note that macOS resets this file when doing a system update. As such, sudo
|
||||
authentication with Touch ID won't work after a system update until the nix-darwin
|
||||
configuration is reapplied.)
|
||||
'';
|
||||
};
|
||||
|
||||
config = {
|
||||
system.activationScripts.pam.text = ''
|
||||
# PAM settings
|
||||
echo >&2 "setting up pam..."
|
||||
${if cfg.enableSudoTouchIdAuth then ''
|
||||
# Enable sudo Touch ID authentication
|
||||
if ! grep pam_tid.so /etc/pam.d/sudo > /dev/null; then
|
||||
sed -i.orig '2i\
|
||||
auth sufficient pam_tid.so
|
||||
' /etc/pam.d/sudo
|
||||
fi
|
||||
'' else ''
|
||||
# Disable sudo Touch ID authentication
|
||||
if test -e /etc/pam.d/sudo.orig; then
|
||||
mv /etc/pam.d/sudo.orig /etc/pam.d/sudo
|
||||
fi
|
||||
''}
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
@ -56,6 +56,7 @@ in
|
|||
${cfg.activationScripts.groups.text}
|
||||
${cfg.activationScripts.users.text}
|
||||
${cfg.activationScripts.applications.text}
|
||||
${cfg.activationScripts.pam.text}
|
||||
${cfg.activationScripts.patches.text}
|
||||
${cfg.activationScripts.etc.text}
|
||||
${cfg.activationScripts.defaults.text}
|
||||
|
|
|
|||
|
|
@ -1,8 +0,0 @@
|
|||
--- /etc/pam.d/sudo
|
||||
+++ /etc/pam.d/sudo
|
||||
@@ -1,4 +1,5 @@
|
||||
# sudo: auth account password session
|
||||
+auth sufficient pam_tid.so
|
||||
auth sufficient pam_smartcard.so
|
||||
auth required pam_opendirectory.so
|
||||
account required pam_permit.so
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.system.sudo;
|
||||
in
|
||||
|
||||
{
|
||||
options = {
|
||||
system.sudo.touchid.enable = mkEnableOption "Enable sudo authentication with Touch ID";
|
||||
};
|
||||
|
||||
config = mkIf cfg.touchid.enable { system.patches = [ ./etc-pam.d-sudo.patch ]; };
|
||||
}
|
||||
Loading…
Reference in a new issue