NixOS - edit system files

hallettj, 1 year ago (edited 4 months ago)

I did some digging around in the manual, and I tested this option which seems to work:

<span style="color:#323232;">security.pam.services.doas.fprintAuth = true;
</span>

On my machine that adds this line to /etc/pam.d/doas:

<span style="color:#323232;">auth sufficient /nix/store/fq4vbhdk8dqywxirg3wb99zidfss7sbi-fprintd-1.94.2/lib/security/pam_fprintd.so # fprintd (order 11400)
</span>

Edit: Note that the NixOS option puts in the full path to pam_fprintd.so. That’s necessary because NixOS doesn’t put so files in search paths.

Without doing more research I don’t know how to add arbitrary options to pam files in case you run into something that isn’t mapped to a NixOS option yet. The implementation for the pam options is here; there might be something in there that would work.

wwwgem, 1 year ago

Thanks very much. That’s exactly what I needed. I’m still not used to the diversity of NixOS documentation and was not aware of this one.

wwwgem, 1 year ago

Just realized that I had this line in my config already but the change was not applied until I reboot. 😳

2xsaiko, 1 year ago

Arbitrary options are internal so are not shown in the options search. They’re at security.pam.services.<name>.rules.

Here’s the options that get added using the public options including fprintAuth: github.com/NixOS/nixpkgs/blob/…/pam.nix#L621

wwwgem, 1 year ago

Thanks! I’m still not used to the diversity of all the NixOS documentarian and was not aware that arbitrary options can be found there.

hallettj, 1 year ago

Although they’re not in the search, they are in the manual so you can find them searching that page. This one is listed as,

<span style="color:#323232;">security.pam.services..fprintAuth
</span>

But it does take some inferences to find this, and to realize that you can put doas in place of ``

2xsaiko, 1 year ago

No, that one is in the search as well. It’s a normal option. search.nixos.org/options?show=security.pam.servic…

What isn’t and also isn’t in the manual is the rules options. Those are all internal.

wwwgem, 1 year ago

As I said I’ve actually done it before asking… But I didn’t reboot and and that was needed for the change to take effect ¯_(ツ)_/¯