add fingerprint support for login

2023-09-28 19:47:00 +01:00 · 2023-09-28 19:47:00 +01:00 · 20f1ca70fa
parent 78a5e913cf
commit 20f1ca70fa
6 changed files with 45 additions and 5 deletions
--- a/hosts/lappy-t495/lappy-t495.nix
+++ b/hosts/lappy-t495/lappy-t495.nix
@ -11,6 +11,7 @@
    profiles.cross.arm64
    profiles.remoteBuilders
    profiles.chaosInternalWireGuard
+    profiles.fingerprint

    ./secrets.nix
  ];
--- a/presets/nixos/laptop.nix
+++ b/presets/nixos/laptop.nix
@ -8,6 +8,8 @@
    profiles.tor
  ];

+  services.fwupd.enable = true;
+
  # TODO: Better DNS setup
  services.resolved.enable = false;
  environment.etc."resolv.conf".text = ''
--- a/profiles/base/access.nix
+++ b/profiles/base/access.nix
@ -1,5 +0,0 @@
-{lib, ...}: let
-  inherit (lib.modules) mkForce;
-in {
-  security.sudo.wheelNeedsPassword = mkForce false;
-}
--- a/profiles/base/sudo.nix
+++ b/profiles/base/sudo.nix
@ -0,0 +1,5 @@
+{lib, ...}: let
+  inherit (lib.modules) mkDefault;
+in {
+  security.sudo.wheelNeedsPassword = mkDefault false;
+}
--- a/profiles/fingerprint.nix
+++ b/profiles/fingerprint.nix
@ -0,0 +1,35 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}: let
+  inherit (lib.modules) mkIf mkForce;
+in {
+  services.fprintd.enable = true;
+
+  security.sudo.wheelNeedsPassword = mkForce true;
+
+  security.pam.services = {
+    sudo.fprintAuth = true;
+    login.fprintAuth = false;
+
+    gdm-fingerprint = mkIf (config.services.xserver.displayManager.gdm.enable) {
+      text = ''
+        auth       required                    pam_shells.so
+        auth       requisite                   pam_nologin.so
+        auth       requisite                   pam_faillock.so      preauth
+        auth       required                    ${pkgs.fprintd}/lib/security/pam_fprintd.so
+        auth       optional                    pam_permit.so
+        auth       required                    pam_env.so
+        auth       [success=ok default=1]      ${pkgs.gnome.gdm}/lib/security/pam_gdm.so
+
+        account    include                     login
+
+        password   required                    pam_deny.so
+
+        session    include                     login
+      '';
+    };
+  };
+}
--- a/profiles/gui/environments/gnome/default.nix
+++ b/profiles/gui/environments/gnome/default.nix
@ -72,5 +72,7 @@ in {

  programs.dconf.enable = true;

+  services.gnome.gnome-keyring.enable = mkForce false;
+
  services.xserver = {layout = "gb";};
 }