I have enabled services.fprintd.enable. Which is happened to be a default value of security.pam.services.<name>.fprintAuth. But I want only specified pam services to have it enabled. I was thinking of using lib.mkDefault, but how to apply it on an option inside attribute set of submodules.
1 Like
Default is
config.services.fprintd.enable
That means you can just set services.fprintd.enable to true
Unless you don’t want it to be true (because of other side effect).
Since I don’t know how to answer your question directly, you can try to overwrite the side unexpected side effect, our reimplement expected one…
ie:
services.fprintd.enable installs pkgs.fprintd
but you can also set
services.fprintd.package = pkgs.emptyDir if your problems is that you already have fprint comming from somewhere else that are conflicting.
or systemd.services.fprintd (systemd.services.<name>) if the problem is how it is configuring systemd service for you…
Not quite.
Basically, I wanted to be able to use my fingerprint to authenticate only in doas (sudo alternative).
To do that, I set services.fprintd.enable = true. To enable fprintd.
doas as well as many other apps use PAM to authenticate users. PAM configures separately for each service via security.pam.services.<name>.fprintAuth which is an attribute. But I only want fprintAuth to be enabled for doas. And the default for security.pam.services.<name>.fprintAuth comes from services.fprintd.enable.
So the possible solution I see now are:
- Disable
security.pam.services.<name>.fprintAuthfor each service except PAM. Which seems excessive. - Reimplement whole PAM nixos module. Which also very excessive.
- Change just default of
security.pam.services.<name>.fprintAuth. Normally, I guess it should be done viamkDefault. But due tosecurity.pam.servicesis in attrset of submodules. I am not sure how to usemkDefaultthen.