Lemurs (login manager) has audio and permission (logind) issues?

frozen.frog23 · March 13, 2026, 12:06pm

hi

  services.displayManager.lemurs.enable = true;
  # ...
  users.users.USER.isNormalUser = true;
  users.users.USER.extraGroups = [
    "input"
    "networkmanager"
    "seat" # the description of *.lemurs.enable DEMANDS this, despite the fact that its a default in services.seatd.group
    "wheel"
  ];

does an oopsie - audio doesnt work (dummy outputs):

$ pipewire 

[E][...] mod.protocol-native | [module-protocol-:  803 lock_socket()] server 0x5582f52744d0: unable to lock lockfile '/run/user/1000/pipewire-0.lock': Resource temporarily unavailable (maybe another daemon is running)
[E][...] pw.conf      | [          conf.c:  602 load_module()] 0x5582f522a990: could not load mandatory module "libpipewire-module-protocol-native": Resource temporarily unavailable
[E][...] default      | [      pipewire.c:  124 main()] failed to create context: Resource temporarily unavailable

$ pipewire-pulse

[W][...] mod.protocol-pulse | [        server.c:  634 start_unix_server()] server 0x5636bf5d1480: socket '/run/user/1000/pulse/native' is in use
[W][...] mod.protocol-pulse | [        server.c: 1062 servers_create_and_start()] pulse-server 0x5636bf5d1590: failed to start server on 'unix:/run/user/1000/pulse/native': Address already in use
[E][...] mod.protocol-pulse | [  pulse-server.c: 5555 pw_protocol_pulse_new()] 0x5636bf5d1590: no servers could be started: Address already in use
[E][...] pw.conf      | [          conf.c:  602 load_module()] 0x5636bf57a990: could not load mandatory module "libpipewire-module-protocol-pulse": Address already in use
[E][...] default      | [      pipewire.c:  124 main()] failed to create context: Address already in use

and now it asks a password for anything:

$ systemctl reboot

==== AUTHENTICATING FOR org.freedesktop.login1.reboot ====
Authentication is required to reboot the system.

...

^ this one does work, though ^

$ reboot

Call to Reboot failed:
Access denied as the requested operation
requires interactive authentication.
However, interactive authentication
has not been enabled by the calling program.

yeah… this never happened before (it should reboot immediately AND audio should work lol). here is the module in question:

github.com/NixOS/nixpkgs

nixos/modules/services/display-managers/lemurs.nix

fe416aaed

{
  config,
  lib,
  pkgs,
  ...
}:
let
  cfg = config.services.displayManager.lemurs;
  settingsFormat = pkgs.formats.toml { };
in
{
  imports = [
    (lib.mkRemovedOptionModule [
      "services"
      "displayManager"
      "lemurs"
      "vt"
    ] "The VT is now fixed to VT1.")
  ];

This file has been truncated. show original

anyway, i found these relevant issues:

github.com/coastalwhite/lemurs

Audio/Pipewire doesnt work when doing login via lemurs, but works when doing a manual startx to bspwm

opened 07:44PM - 22 Jan 24 UTC

closed 01:42AM - 27 Feb 24 UTC

ghost

Im using Fedora 39 systemd 254.7 After fixing the xsetup problem that was re…lated to permissions, i encountered another problem, but now, with audio/pipewire, where it doesnt work I did not find anything that indicates the problem in the logs Tried to add the `exec dbus-launch` and `pipewire` in the launch script, but in the end, it did nothing, since i thought that was a dbus or pipewire launching problem at first So i gone directly for pipewire and wireplumber, and looks like its modules and files arent being able to load or a unavailable ``` $ pipewire [E][01591.956256] mod.protocol-native | [module-protocol-: 760 lock_socket()] server 0x561322308b90: unable to lock lockfile '/run/user/1000/pipewire-0.lock': Resource temporarily unavailable (maybe another daemon is running) [E][01591.956753] pw.conf | [ conf.c: 573 load_module()] 0x5613222e3500: could not load mandatory module "libpipewire-module-protocol-native": Resource temporarily unavailable [E][01591.957051] default | [ pipewire.c: 105 main()] failed to create context: Resource temporarily unavailable ``` ``` $ wireplumber M 14:10:00.368569 wp-device ../lib/wp/device.c:619:wp_spa_device_new_from_spa_factory: SPA handle 'api.libcamera.enum.manager' could not be loaded; is it installed? M 14:10:00.368601 script/libcamera libcamera.lua:173:chunk: PipeWire's libcamera SPA missing or broken. libcamera not supported. W 14:10:00.377610 pw ../spa/plugins/bluez5/upower.c:54:upower_get_percentage_properties_reply: Failed to get percentage from UPower: org.freedesktop.DBus.Error.NameHasNoOwner W 14:10:00.382941 spa.bluez5.native ../spa/plugins/bluez5/backend-native.c:1840:sco_listen: listen(): Address already in use W 14:10:00.383089 spa.bluez5.native ../spa/plugins/bluez5/backend-native.c:2393:register_profile_reply: RegisterProfile() failed: org.bluez.Error.NotPermitted W 14:10:00.383104 spa.bluez5.native ../spa/plugins/bluez5/backend-native.c:2393:register_profile_reply: RegisterProfile() failed: org.bluez.Error.NotPermitted ``` But while using only startx (im not using a .xinitrc, im using only `startx /usr/bin/bspwm`), pipeiwire is loaded normally and i can play audio normally (And without creating another issue, im having problems were poweroff, reboot, shutdown, ect. They have an output that says that it fails to call the program, since it need an interactive authentication. `Call to PowerOff failed: Interactive authentication required.`)

github.com/NixOS/nixpkgs

nixos/xfce: Mouse and keyboard not working when using Lemurs

opened 08:42AM - 21 Aug 25 UTC

ZhiZe-ZG

0.kind: bug 6.topic: nixos 6.topic: xfce

### Nixpkgs version - Unstable (25.11) ### Describe the bug When using the Le…murs display manager packaged in NixOS (nixpkgs), logging into an XFCE session results in no mouse or keyboard input. Other DMs, such as Ly, work fine with the same XFCE setup. I'm not sure if it's a problem of lemurs itself or the nix files that install lemurs. ### Steps to reproduce Write this in configuration: ```nix services.xserver.desktopManager.xfce.enable = true; services.xserver.displayManager.lemurs.enable = true; ``` Then rebuild, switch and reboot. After login, mouse and keyboard don't have respond. Other window manager (like leftwm) also not work with lemurs. ### Expected behaviour XFCE session should accept input devices, similar to other DMs like Ly. ### Screenshots _No response_ ### Relevant log output ```console ``` ### Additional context _No response_ ### System metadata - system: `"x86_64-linux"` - host os: `Linux 6.12.42, NixOS, 25.11 (Xantusia), 25.11.20250819.97eb7ee` - multi-user?: `yes` - sandbox: `yes` - version: `nix-env (Nix) 2.28.4` - nixpkgs: `/nix/store/0nhqsm3lzxj71a9asqy05l1v9y7pqfc1-source` ### Notify maintainers --- **Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.) ### I assert that this issue is relevant for Nixpkgs - [x] I assert that this is a bug and not a support request. - [x] I assert that this is not a [duplicate of an existing issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+label%3A%220.kind%3A+bug%22+label%3A%226.topic%3A+nixos%22). - [x] I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it. ### Is this issue important to you? Add a :+1: [reaction] to [issues you find important]. [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/ [issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc

but theres nothing that helps me… i know the module is new and all…

this problem does NOT happen (reproduce) with any other login (display) manager… help… anything else i should provide the output of..? (am noob, sry)

P.S. im using greetd with tuigreet for now. perhaps one should compare lemurs.nix and greetd.nix? the latter doesnt require "seat" user group btw! however, on an unrelated note, it does seem to duplicate (quite literally multiply!) sessions (in its list of desktops to choose from) for some reason (lemurs doesnt btw!), but thats out of topic…

like so:

  services.greetd.enable = true;
  services.greetd.useTextGreeter = true;
  services.greetd.settings.default_session.command = "${pkgs.tuigreet}/bin/tuigreet";

nixpkgs/nixos/modules/services/display-managers/greetd.nix at fe416aaedd397cacb33a610b33d60ff2b431b127 · NixOS/nixpkgs · GitHub

EDIT1: oops sorry i forgot to add the #Help tag…

EDIT2: i could probably do something in lemur’s config.toml? im gonna check these out in a minute:

  services.displayManager.lemurs.settings.pam_service = "";
  services.displayManager.lemurs.settings.shell_login_flag = "";
  services.displayManager.lemurs.settings.system_shell = "";

actually, i probably shouldve used regular old bash for this, my bad! lemme try again and ill report back… istg if its shell trickery again…

no, even using bash (system wide) - all the same.

could be nothing, but i noticed that "${pkgs.bash}/bin/bash" is the default for system_shell setting in lemurs.nix, but it is "/bin/sh" in the original config.toml… uh

EDIT3: ok i found it creates this thing: /etc/pam.d/lemurs, but… where is the /etc/lemurs/config.toml? i dont have it in there (nor the directory itself)..? is it somewhere else..?

i can see in its lemurs.nix module that it should be generating it via:

  services.displayManager.generic.execCmd = "exec ${lib.getExe cfg.package} --config ${settingsFormat.generate "config.toml" cfg.settings}";

but uhm… isnt it deprecated..?

Whether to enable generic display manager integration - deprecated.

github.com/NixOS/nixpkgs

nixos/modules/services/display-managers/generic.nix

nixos-unstable

{ config, lib, ... }:
let
  cfg = config.services.displayManager.generic;
in
{
  imports = [
    (lib.mkRenamedOptionModule
      [ "services" "displayManager" "preStart" ]
      [ "services" "displayManager" "generic" "preStart" ]
    )
    (lib.mkRenamedOptionModule
      [ "services" "displayManager" "execCmd" ]
      [ "services" "displayManager" "generic" "execCmd" ]
    )
    (lib.mkRenamedOptionModule
      [ "services" "displayManager" "environment" ]
      [ "services" "displayManager" "generic" "environment" ]
    )
  ];

This file has been truncated. show original

Enabling display-manager.service implicitly due to services.displayManager.generic.execCmd being set; this will be removed eventually.

Please set services.displayManager.generic.enable explicitly, or switch your display manager to use upstream systemd units (preferred).

EDIT4: ok i checked the (hopefully correct) service called display-manager.service that it is creating and here are the logs:

$ systemctl status --no-pager --full display-manager.service

systemd[1]: Started Display Manager.
lemurs[1161]: gkr-pam: unable to locate daemon control file
lemurs[1161]: gkr-pam: stashed password to try later in open session
lemurs[1161]: pam_unix(lemurs:session): session opened for user deck(uid=1000) by (uid=0)
lemurs[1161]: gkr-pam: gnome-keyring-daemon started properly and unlocked keyring

sheesh can i just mention that its insanely difficult to remember all the commands to check services with… dear me

and this systemd-logind.service too:

$ systemctl status --no-pager --full systemd-logind.service

systemd-logind[973]: New seat seat0.
systemd[1]: Started User Login Management.
systemd-logind[973]: New session 'c1' of user 'deck' with class 'user' and type 'wayland'.
systemd-logind[973]: New session '1' of user 'deck' with class 'manager' and type 'unspecified'.
systemd-logind[973]: Session c1 logged out. Waiting for processes to exit.

sidenote: i am using a custom programs.uwsm.waylandCompositors, but it happens all the same on a non-UWSM session. and no, im not using any x11 sessions (i still have to have xserver enabled for my little stupid games though, ffs). oh and yes, i do uwsm finalize, so i dont think its environment related???

anyway i checked both of their configs in /etc/systemd/system/display-manager.service and /etc/systemd/system/systemd-logind.service (as well as the entire subdirectory) and there is no mention of lemurs, config.toml or --config option / argument thingie (and i grep’d the entire /etc/ too!)… erm… where is services.displayManager.generic.execCmd even going? huh? is it literally a shell command? i could be stupid…

ok i could create my own config.toml and force it with lemurs --config /path/config.toml (since im not even sure if it has one anywhere) with some, you know, automated script that goes off early or something, but no, this is as far as i go

EDIT5: oh, services.displayManager.lemurs.settings is completely ignored, so my attempts were futile

EDIT6: wait wait wait, hold on a second… what is this???

/var/log/lemurs.log

[WARN  lemurs::post_login] Failed to read from the X folder '/etc/lemurs/wms'
[WARN  lemurs::post_login] Failed to read from the wayland folder '/etc/lemurs/wayland'

i mean, yeah, it didnt create an /etc/lemurs/ at all! so there is no config or settings for it, DUH. …i still dont know why i have no audio and some permissions are broken, though…

SORRY for over 9000 edits that keep bumping this up and up, i, too, dont want it to do that

EDIT7: ach, i thought i was onto something here, but no… i was trying to explicitly enable stuff, but yeah, no:

  services.seatd.enable = true;
  # ...
  security.pam.services.lemurs.allowNullPassword = true;
  security.pam.services.lemurs.setLoginUid = false;
  security.pam.services.lemurs.startSession = true;
  security.pam.services.lemurs.unixAuth = true;

welp, i tried. i dunno, guys, i think using a deprecated generic display manager to kickstart other services is a bad idea, is it not? theyre using a dedicated lemurs.service upstream (rather than stuffing the display-manager.service), but idk what im talking about, im too dumb!

by the way, remember that comment i left on the "seat" user group all the way at the top? yeah, if one doesnt set it themselves, then one wouldnt get into their desktop session, its gonna be a blinking underscore! crazy, right? its as if options that the lemurs.nix module is setting (services.seatd.enable) that already have this user group BY DEFAULT are ignored or something! interestingly enough, there are no errors in the logs when you DONT set that group explicitly, btw, but i can still simply CTRL+C my way out of that state… boggling!

EDIT8: nevermind! that (above) was irrelevant, I THINK. anyway, i found the config.toml’s. well, they’re in /nix/store/, who wouldve thonk. um, so, remember that lemurs.log in my EDIT6? its unrelated to my problem, but is actually a clue: so those are actually the defaults from the original config.toml upstream (am i using this term correctly?), which is expecting things to be in /etc/lemurs/, which nixos doesnt generate, because it uses a custom config.toml in /nix/store/ that it sets with a bash script via services.displayManager.generic.execCmd, which generates a /nix/store/...-unit-script-display-manager-start/bin/display-manager-start script, okay? but check this out: this is what it says in the original config.toml:

# Note: that as of now you need to have all options in the selected
# configuration file. Otherwise Lemurs will not work.

but this is the content of the config.toml in the /nix/store/...-config.toml

include_tty_shell = true
initial_path = "/run/current-system/sw/bin"
shell_login_flag = "long"
system_shell = "/nix/store/...-bash-interactive-5.3p9/bin/bash"
tty = 1

[wayland]
wayland_sessions_path = "/nix/store/...-desktops/share/wayland-sessions"

[x11]
xauth_path = "/nix/store/...-xauth-1.1.5/bin/xauth"
xserver_path = "/nix/store/...-xorg-server-21.1.21/bin/X"
xsessions_path = "/nix/store/...-desktops/share/xsessions"
xsetup_path = "/nix/...-xsession-wrapper"

so did i get this right: not everything was “nixified”, right? as in, it needs more work, basically? for example, these are non-existent paths that lemurs.nix defaults to:

x11.scripts_path = "/etc/lemurs/wms"
wayland.scripts_path = "/etc/lemurs/wayland"

okay, thats problem number one. that was an easy one. it wasnt even the problem that im having, just an observation that… this module is not perfect. anyway, problem number two: what’s wrong with permissions (and consequentially with the audio)? well, i compared /etc/pam.d/lemurs and /etc/pam.d/greetd and…

/etc/pam.d/lemurs

# Account management.
account required /nix/store/...-linux-pam-1.7.1/lib/security/pam_unix.so # unix (order 10900)

# Authentication management.
auth optional /nix/store/...-linux-pam-1.7.1/lib/security/pam_unix.so likeauth # unix-early (order 11700)
auth optional /nix/store/...-gnome-keyring-48.0/lib/security/pam_gnome_keyring.so # gnome_keyring (order 12200)
auth sufficient /nix/store/...-linux-pam-1.7.1/lib/security/pam_unix.so likeauth try_first_pass # unix (order 12900)
auth required /nix/store/...-linux-pam-1.7.1/lib/security/pam_deny.so # deny (order 13700)

# Password management.
password sufficient /nix/store/...-linux-pam-1.7.1/lib/security/pam_unix.so nullok yescrypt # unix (order 10200)
password optional /nix/store/...-gnome-keyring-48.0/lib/security/pam_gnome_keyring.so use_authtok # gnome_keyring (order 11100)

# Session management.
session required /nix/store/...-linux-pam-1.7.1/lib/security/pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)
session required /nix/store/...-linux-pam-1.7.1/lib/security/pam_unix.so # unix (order 10200)
session optional /nix/store/...-systemd-259/lib/security/pam_systemd.so # systemd (order 12000)
session required /nix/store/...-linux-pam-1.7.1/lib/security/pam_limits.so conf=/nix/store/...-limits.conf # limits (order 12200)
session optional /nix/store/...-gnome-keyring-48.0/lib/security/pam_gnome_keyring.so auto_start # gnome_keyring (order 12600)

/etc/pam.d/greetd

# Account management.
account required /nix/store/...-linux-pam-1.7.1/lib/security/pam_unix.so # unix (order 10900)

# Authentication management.
auth optional /nix/store/...-linux-pam-1.7.1/lib/security/pam_unix.so likeauth nullok # unix-early (order 11700)
auth optional /nix/store/...-gnome-keyring-48.0/lib/security/pam_gnome_keyring.so # gnome_keyring (order 12200)
auth sufficient /nix/store/...-linux-pam-1.7.1/lib/security/pam_unix.so likeauth nullok try_first_pass # unix (order 12900)
auth required /nix/store/...-linux-pam-1.7.1/lib/security/pam_deny.so # deny (order 13700)

# Password management.
password sufficient /nix/store/...-linux-pam-1.7.1/lib/security/pam_unix.so nullok yescrypt # unix (order 10200)
password optional /nix/store/...-gnome-keyring-48.0/lib/security/pam_gnome_keyring.so use_authtok # gnome_keyring (order 11100)

# Session management.
session required /nix/store/...-linux-pam-1.7.1/lib/security/pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)
session required /nix/store/...-linux-pam-1.7.1/lib/security/pam_unix.so # unix (order 10200)
session required /nix/store/...-linux-pam-1.7.1/lib/security/pam_loginuid.so # loginuid (order 10300)
session optional /nix/store/...-systemd-259/lib/security/pam_systemd.so # systemd (order 12000)
session required /nix/store/...-linux-pam-1.7.1/lib/security/pam_limits.so conf=/nix/store/...-limits.conf # limits (order 12200)
session optional /nix/store/...-gnome-keyring-48.0/lib/security/pam_gnome_keyring.so auto_start # gnome_keyring (order 12600)

ive no idea what i was trying to say here, but maybe someone could spot a difference and be like “ohhhh thats why audio doesnt work, riiight… but of course, the whatchamacallit priority isnt matching the doodad” or something! however, that nullok is missing, im not sure if its important but i think this is the one responsible for it - security.pam.services.lemurs.allowNullPassword? sorry if its dumb and useless. but yeah, i think something something security.pam.services.lemurs.* is breaking muh audio, ugh!

thanks in advance!!!

mightyiam · March 14, 2026, 1:42pm

Dude. I appreciate details in questions, but… this would take me an hour to read. Can you, like, clean this up, split it up into multiple questions, making it more concise?