I3lock not configured correctly maybe due to bad PAM configurtion in default NixOS?

Help
1

i3lock does not appear to be functioning correctly anymore. Anytime I input the correct password, it refused to unlock. I have been able to unlock by going to tty2 and running pkill i3lock after logging into that terminal session.

I also verified the password I was giving i3lock by running i3lock --debug in my terminal. It prints my key presses and I was able to see that I was in fact inputting my password correctly.

I did some research and it seems like this could be a setup issue on Nixos’s side of things? Specifically related to PAM. I have not touched PAM at all in my configuration but perhaps someone else is more familiar with what’s going on?

2

It seems to be related to a recent change on PAM handling. Which version of Nixpkgs are you following?

3

I am following the unstable branch.

    "nixpkgs": {
      "locked": {
        "lastModified": 1746141548,
        "narHash": "sha256-IgBWhX7A2oJmZFIrpRuMnw5RAufVnfvOgHWgIdds+hc=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "f02fddb8acef29a8b32f10a335d44828d7825b78",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
4

Have you set programs.i3lock.enable to true?

5

Oh you know what, I do not. I did not do this because my i3lock installed manually through my home manager config.

I guess I’ll need to do something hacky here, but I can figure it out. I was trying to setup everything as much as possible through home manager, but it looks like that’s not really going to be possible here.

6

Okay unfortunately, I’m not completely sure that’s it. I am using the i3lock provided through programs.i3lock.enable.

7

Hmm. A few things to test:

  • Is there a symlink at /etc/pam.d/i3lock?
  • In a REPL loaded with your NixOS config (on a channels-based system, I’d do this with nix repl --file '<nixpkgs/nixos>'; I don’t know if that works for flakes too), can you confirm that
    • config.programs.i3lock.enable is definitely true?
    • config.security.pam.services.i3lock.enable is also true?
8

OH well I can confirm no such symlink exists on my system

So with flakes, I did the following

$ nix repl

nix-repl> x = builtins.getFlake “/path/to/project/dir”
nix-repl> x.nixosConfigurations.solaris.options.programs.i3lock.enable

{
__toString = «lambda __toString @ /nix/store/zggank8h7rfa8p2rrnwymjcpj3k4ds5l-source/lib/modules.nix:1091:20»;
_type = “option”;
declarationPositions = [ … ];
declarations = [ … ];
default = false;
definitions = [ … ];
definitionsWithLocations = [ … ];
description = “Whether to enable i3lock.”;
example = true;
files = [ … ];
highestPrio = 100;
isDefined = true;
loc = [ … ];
options = [ … ];
type = { … };
value = true;
}

But then take a look at this.

nix-repl> x.nixosConfigurations.solaris.options.security.pam.services.i3lock.enable
error: attribute ‘i3lock’ missing
at «string»:1:1:
1| x.nixosConfigurations.solaris.options.security.pam.services.i3lock.enable
| ^

I was able to autocomplete this until I got to the “security” attribute.

9

You’re showing me the options. tree; check config. instead please?

10 
nix-repl> x.nixosConfigurations.solaris.config.programs.i3lock.enable
true

nix-repl> x.nixosConfigurations.solaris.config.security.pam.services.i3lock.enable
true

Sorry for the late reply, here we go!

11

I’m at a loss. With those values set to true, I don’t see how it could be possible that a system gets built without an /etc/pam.d/i3lock symlink. I guess double-check that you’re building what you think you’re building?

12

Hmmm weird, I just checked and have the symlink now and everything works. I did update my flakes sometime during this. But I think it’s very likely possible I mixed up configurations and didn’t have it enabled correctly either. I’m very sorry for the troubles. It looks like things are working find again.

1 Like