I have enabled
services.fprintd.enable. Which is happened to be a default value of
security.pam.services.<name>.fprintAuth. But I want only specified pam services to have it enabled. I was thinking of using
lib.mkDefault, but how to apply it on an option inside attribute set of submodules.
I have enabled
That means you can just set
services.fprintd.enable to true
Unless you don’t want it to be
true (because of other side effect).
Since I don’t know how to answer your question directly, you can try to overwrite the side unexpected side effect, our reimplement expected one…
but you can also set
services.fprintd.package = pkgs.emptyDir if your problems is that you already have fprint comming from somewhere else that are conflicting.
systemd.services.<name>) if the problem is how it is configuring systemd service for you…
Basically, I wanted to be able to use my fingerprint to authenticate only in doas (sudo alternative).
To do that, I set
services.fprintd.enable = true. To enable fprintd.
doas as well as many other apps use PAM to authenticate users. PAM configures separately for each service via
security.pam.services.<name>.fprintAuth which is an attribute. But I only want
fprintAuth to be enabled for
doas. And the default for
security.pam.services.<name>.fprintAuth comes from
So the possible solution I see now are:
security.pam.services.<name>.fprintAuthfor each service except PAM. Which seems excessive.
- Reimplement whole PAM nixos module. Which also very excessive.
- Change just default of
security.pam.services.<name>.fprintAuth. Normally, I guess it should be done via
mkDefault. But due to
security.pam.servicesis in attrset of submodules. I am not sure how to use