mirror of
https://github.com/LnL7/nix-darwin.git
synced 2025-03-05 08:17:01 +00:00
Change option name and switch to using activation script
This commit is contained in:
parent
1d98da837f
commit
ca57e8bcdb
5 changed files with 45 additions and 24 deletions
|
@ -2,6 +2,7 @@
|
||||||
./alias.nix
|
./alias.nix
|
||||||
./documentation
|
./documentation
|
||||||
./misc/lib.nix
|
./misc/lib.nix
|
||||||
|
./security/pam.nix
|
||||||
./security/pki
|
./security/pki
|
||||||
./security/sandbox
|
./security/sandbox
|
||||||
./system
|
./system
|
||||||
|
@ -29,7 +30,6 @@
|
||||||
./system/launchd.nix
|
./system/launchd.nix
|
||||||
./system/patches.nix
|
./system/patches.nix
|
||||||
./system/shells.nix
|
./system/shells.nix
|
||||||
./system/sudo.nix
|
|
||||||
./system/version.nix
|
./system/version.nix
|
||||||
./time
|
./time
|
||||||
./networking
|
./networking
|
||||||
|
|
43
modules/security/pam.nix
Normal file
43
modules/security/pam.nix
Normal file
|
@ -0,0 +1,43 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.security.pam;
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
security.pam.enableSudoTouchIdAuth = mkEnableOption ''
|
||||||
|
Enable sudo authentication with Touch ID
|
||||||
|
|
||||||
|
When enabled, this option adds the following line to /etc/pam.d/sudo:
|
||||||
|
|
||||||
|
auth sufficient pam_tid.so
|
||||||
|
|
||||||
|
(Note that macOS resets this file when doing a system update. As such, sudo
|
||||||
|
authentication with Touch ID won't work after a system update until the nix-darwin
|
||||||
|
configuration is reapplied.)
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
system.activationScripts.pam.text = ''
|
||||||
|
# PAM settings
|
||||||
|
echo >&2 "setting up pam..."
|
||||||
|
${if cfg.enableSudoTouchIdAuth then ''
|
||||||
|
# Enable sudo Touch ID authentication
|
||||||
|
if ! grep pam_tid.so /etc/pam.d/sudo > /dev/null; then
|
||||||
|
sed -i.orig '2i\
|
||||||
|
auth sufficient pam_tid.so
|
||||||
|
' /etc/pam.d/sudo
|
||||||
|
fi
|
||||||
|
'' else ''
|
||||||
|
# Disable sudo Touch ID authentication
|
||||||
|
if test -e /etc/pam.d/sudo.orig; then
|
||||||
|
mv /etc/pam.d/sudo.orig /etc/pam.d/sudo
|
||||||
|
fi
|
||||||
|
''}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
|
@ -56,6 +56,7 @@ in
|
||||||
${cfg.activationScripts.groups.text}
|
${cfg.activationScripts.groups.text}
|
||||||
${cfg.activationScripts.users.text}
|
${cfg.activationScripts.users.text}
|
||||||
${cfg.activationScripts.applications.text}
|
${cfg.activationScripts.applications.text}
|
||||||
|
${cfg.activationScripts.pam.text}
|
||||||
${cfg.activationScripts.patches.text}
|
${cfg.activationScripts.patches.text}
|
||||||
${cfg.activationScripts.etc.text}
|
${cfg.activationScripts.etc.text}
|
||||||
${cfg.activationScripts.defaults.text}
|
${cfg.activationScripts.defaults.text}
|
||||||
|
|
|
@ -1,8 +0,0 @@
|
||||||
--- /etc/pam.d/sudo
|
|
||||||
+++ /etc/pam.d/sudo
|
|
||||||
@@ -1,4 +1,5 @@
|
|
||||||
# sudo: auth account password session
|
|
||||||
+auth sufficient pam_tid.so
|
|
||||||
auth sufficient pam_smartcard.so
|
|
||||||
auth required pam_opendirectory.so
|
|
||||||
account required pam_permit.so
|
|
|
@ -1,15 +0,0 @@
|
||||||
{ config, lib, pkgs, ... }:
|
|
||||||
|
|
||||||
with lib;
|
|
||||||
|
|
||||||
let
|
|
||||||
cfg = config.system.sudo;
|
|
||||||
in
|
|
||||||
|
|
||||||
{
|
|
||||||
options = {
|
|
||||||
system.sudo.touchid.enable = mkEnableOption "Enable sudo authentication with Touch ID";
|
|
||||||
};
|
|
||||||
|
|
||||||
config = mkIf cfg.touchid.enable { system.patches = [ ./etc-pam.d-sudo.patch ]; };
|
|
||||||
}
|
|
Loading…
Add table
Reference in a new issue