Change option name and switch to using activation script

modules/module-list.nix

@@ -2,6 +2,7 @@
   ./alias.nix
   ./documentation
   ./misc/lib.nix
+  ./security/pam.nix
   ./security/pki
   ./security/sandbox
   ./system
@@ -29,7 +30,6 @@
   ./system/launchd.nix
   ./system/patches.nix
   ./system/shells.nix
-  ./system/sudo.nix
   ./system/version.nix
   ./time
   ./networking

modules/security/pam.nix

@@ -0,0 +1,43 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.security.pam;
+in
+
+{
+  options = {
+    security.pam.enableSudoTouchIdAuth = mkEnableOption ''
+      Enable sudo authentication with Touch ID
+
+      When enabled, this option adds the following line to /etc/pam.d/sudo:
+
+          auth       sufficient     pam_tid.so
+
+      (Note that macOS resets this file when doing a system update. As such, sudo
+      authentication with Touch ID won't work after a system update until the nix-darwin
+      configuration is reapplied.)
+    '';
+  };
+
+  config = {
+    system.activationScripts.pam.text = ''
+      # PAM settings
+      echo >&2 "setting up pam..."
+      ${if cfg.enableSudoTouchIdAuth then ''
+        # Enable sudo Touch ID authentication
+        if ! grep pam_tid.so /etc/pam.d/sudo > /dev/null; then
+          sed -i.orig '2i\
+          auth       sufficient     pam_tid.so
+          ' /etc/pam.d/sudo
+        fi
+      '' else ''
+        # Disable sudo Touch ID authentication
+        if test -e /etc/pam.d/sudo.orig; then
+          mv /etc/pam.d/sudo.orig /etc/pam.d/sudo
+        fi
+      ''}
+    '';
+  };
+}

modules/system/activation-scripts.nix

@@ -56,6 +56,7 @@ in
       ${cfg.activationScripts.groups.text}
       ${cfg.activationScripts.users.text}
       ${cfg.activationScripts.applications.text}
+      ${cfg.activationScripts.pam.text}
       ${cfg.activationScripts.patches.text}
       ${cfg.activationScripts.etc.text}
       ${cfg.activationScripts.defaults.text}

modules/system/etc-pam.d-sudo.patch

@@ -1,8 +0,0 @@
---- /etc/pam.d/sudo
-+++ /etc/pam.d/sudo
-@@ -1,4 +1,5 @@
- # sudo: auth account password session
-+auth       sufficient     pam_tid.so
- auth       sufficient     pam_smartcard.so
- auth       required       pam_opendirectory.so
- account    required       pam_permit.so

modules/system/sudo.nix

@@ -1,15 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.system.sudo;
-in
-
-{
-  options = {
-    system.sudo.touchid.enable = mkEnableOption "Enable sudo authentication with Touch ID";
-  };
-
-  config = mkIf cfg.touchid.enable { system.patches = [ ./etc-pam.d-sudo.patch ]; };
-}