cookiez/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fprintd better PAM configuration, better timeout length and hyprlock support

Browse Source
This commit is contained in:
Cookiez
2026-06-12 11:07:49 +02:00
parent c9f2d4eccf
commit 9584a00673
1 changed files with 22 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
modules/configuration.nix
View File

@ -144,9 +144,11 @@ in {
# List services that you want to enable:
services = {
fprintd.enable = true;
fprintd.tod.enable = true;
fprintd.tod.driver = pkgs.libfprint-2-tod1-goodix;
fprintd = {
enable = true;
tod.enable = true;
tod.driver = pkgs.libfprint-2-tod1-goodix;
};
fwupd.enable = true; #Allows BIOS updates
@ -357,28 +359,31 @@ in {
security = {
sudo.wheelNeedsPassword = false;
pam.services = {
login.fprintAuth = false;
sudo.fprintAuth = false; #Disabled because of security risk: https://nvd.nist.gov/vuln/detail/cve-2024-37408
kscreenlocker.fprintAuth = true;
polkit-1.fprintAuth = false; #Disabled because of security risk: https://nvd.nist.gov/vuln/detail/cve-2024-37408
kde.fprintAuth = false;
hyprlock = {};
sddm = {
fprintAuth = false; # prevent NixOS from adding its own pam_fprintd block
text = lib.mkForce ''
pam.services = let
fprintPam = ''
auth sufficient ${pam-fprint-grosshack-pkg}/lib/security/pam_fprintd_grosshack.so
auth sufficient pam_unix.so try_first_pass nullok
auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so
auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so timeout=0
account required pam_unix.so
password required pam_deny.so
session required pam_unix.so
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
'';
in {
login.fprintAuth = false;
sudo.fprintAuth = false; #Disabled because of security risk: https://nvd.nist.gov/vuln/detail/cve-2024-37408
kscreenlocker.fprintAuth = true;
polkit-1.fprintAuth = false; #Disabled because of security risk: https://nvd.nist.gov/vuln/detail/cve-2024-37408
kde.fprintAuth = false;
hyprlock = {
text = lib.mkForce fprintPam;
};
sddm = {
fprintAuth = false; # prevent NixOS from adding its own pam_fprintd block
text = lib.mkForce fprintPam;
};
};
};