I have enabled services.fprintd.enable
. Which is happened to be a default value of security.pam.services.<name>.fprintAuth
. But I want only specified pam services to have it enabled. I was thinking of using lib.mkDefault
, but how to apply it on an option inside attribute set of submodules.
Default is
config.services.fprintd.enable
That means you can just set services.fprintd.enable
to true
Unless you don’t want it to be true
(because of other side effect).
Since I don’t know how to answer your question directly, you can try to overwrite the side unexpected side effect, our reimplement expected one…
ie:
services.fprintd.enable
installs pkgs.fprintd
but you can also set
services.fprintd.package = pkgs.emptyDir
if your problems is that you already have fprint comming from somewhere else that are conflicting.
or systemd.services.fprintd
(systemd.services.<name>
) if the problem is how it is configuring systemd service for you…
Not quite.
Basically, I wanted to be able to use my fingerprint to authenticate only in doas (sudo alternative).
To do that, I set services.fprintd.enable = true
. To enable fprintd.
doas
as well as many other apps use PAM to authenticate users. PAM configures separately for each service via security.pam.services.<name>.fprintAuth
which is an attribute. But I only want fprintAuth
to be enabled for doas
. And the default for security.pam.services.<name>.fprintAuth
comes from services.fprintd.enable
.
So the possible solution I see now are:
- Disable
security.pam.services.<name>.fprintAuth
for each service except PAM. Which seems excessive. - Reimplement whole PAM nixos module. Which also very excessive.
- Change just default of
security.pam.services.<name>.fprintAuth
. Normally, I guess it should be done viamkDefault
. But due tosecurity.pam.services
is in attrset of submodules. I am not sure how to usemkDefault
then.