pam: unconditionally create pam.d/sudo_local

LnL7 · Feb 19, 2025 · 9646928 · 9646928
1 parent b69e605
commit 9646928
Showing 1 changed file with 17 additions and 25 deletions.
diff --git a/modules/security/pam.nix b/modules/security/pam.nix
@@ -32,30 +32,22 @@ in
     };
   };
 
-  config =
-  let
-    isPamEnabled = (cfg.enableSudoTouchIdAuth || cfg.enablePamReattach);
-
-    # Implementation Notes
-    #
-    # Uses `environment.etc` to create the `/etc/pam.d/sudo_local` file that will be used
-    # to manage all things pam related for nix-darwin. An activation script will run to check
-    # for the existance of the line `auth       include        sudo_local`. This is included
-    # in macOS Sonoma and later. If the line is not there already then `sed` will add it.
-    # In those cases, the line will include the marker (`security.pam.sudo_local`),
-    # to make it easier to identify the line that should be deleted when the option is disabled.
-    # Upgrading to Sonoma from a previous version should see the `/etc/pam.d/sudo` file
-    # replaced with one containing the `auth        include        sudo_local` line, but
-    # it will not include the marker because this line's inclusion is now managed by Apple.
-  in
-  {
-    environment.etc."pam.d/sudo_local" = {
-      enable = isPamEnabled;
-      text = lib.concatLines (
-        (lib.optional cfg.enablePamReattach "auth       optional       ${pkgs.pam-reattach}/lib/pam/pam_reattach.so")
-        ++ (lib.optional cfg.enableSudoTouchIdAuth "auth       sufficient     pam_tid.so")
-      );
-    };
+  # Implementation Notes
+  #
+  # Uses `environment.etc` to create the `/etc/pam.d/sudo_local` file that will be used
+  # to manage all things pam related for nix-darwin. An activation script will run to check
+  # for the existance of the line `auth       include        sudo_local`. This is included
+  # in macOS Sonoma and later. If the line is not there already then `sed` will add it.
+  # In those cases, the line will include the marker (`security.pam.sudo_local`),
+  # to make it easier to identify the line that should be deleted when the option is disabled.
+  # Upgrading to Sonoma from a previous version should see the `/etc/pam.d/sudo` file
+  # replaced with one containing the `auth        include        sudo_local` line, but
+  # it will not include the marker because this line's inclusion is now managed by Apple.
+  config = {
+    environment.etc."pam.d/sudo_local".text = lib.concatLines (
+      (lib.optional cfg.enablePamReattach "auth       optional       ${pkgs.pam-reattach}/lib/pam/pam_reattach.so")
+      ++ (lib.optional cfg.enableSudoTouchIdAuth "auth       sufficient     pam_tid.so")
+    );
     system.activationScripts.pam.text =
     let
       file = "/etc/pam.d/sudo";
@@ -66,7 +58,7 @@ in
     ''
       # PAM settings
       echo >&2 "setting up pam..."
-      ${if isPamEnabled then ''
+      ${if cfg.enableSudoTouchIdAuth || cfg.enablePamReattach then ''
         # REMOVEME when macOS 13 no longer supported
         # Always clear out older implementation if it exists
         if grep '${deprecatedOption}' ${file} > /dev/null; then