security.pam.enableSudoTouchIdAuth can no longer be used

philcruz · March 10, 2025, 4:12pm

I’m doing a nix flake update and when I try to build I get this error

       … while calling the 'derivationStrict' builtin

         at /builtin/derivation.nix:9:12: (source not available)

       … while evaluating derivation 'darwin-system-25.05.adf5c88'
         whose name attribute is located at /nix/store/8rv7qar60c9p7hzwfa02syvl4yzrgmsm-source/pkgs/stdenv/generic/make-derivation.nix:375:7

       … while evaluating attribute 'activationScript' of derivation 'darwin-system-25.05.adf5c88'

         at /nix/store/ndx3c38gkfbrgcjz8w0czyw9a1d93ijk-source/modules/system/default.nix:97:7:

           96|
           97|       activationScript = cfg.activationScripts.script.text;
             |       ^
           98|       activationUserScript = cfg.activationScripts.userScript.text;

       (stack trace truncated; use '--show-trace' to show the full trace)

       error: The option `security.pam.enableSudoTouchIdAuth' can no longer be used since it's been removed. This option has been renamed to `security.pam.services.sudo_local.touchIdAuth` for consistency with NixOS.

In my flake.nix I have

 option = "security.pam.enableSudoTouchIdAuth";

but updating that line doesn’t resolve.

What do I need to do?

My setup is here GitHub - philcruz/nixconfig-public

niklaskorz · March 10, 2025, 4:32pm

As mentioned in the error message, the new option is called security.pam.services.sudo_local.touchIdAuth

philcruz · March 10, 2025, 4:39pm

Thanks. But as I mentioned I updated to

          let
            file   = "/etc/pam.d/sudo";
            option = "security.pam.services.sudo_local.touchIdAuth";

and I still get the error. What am I missing?

philcruz · March 10, 2025, 4:43pm

Here’s the full output if that helps

mjm · March 10, 2025, 5:26pm

The line you changed there is just for leaving a comment in the generated file. This line is the one that’s actually reading the option:

github.com

philcruz/nixconfig-public/blob/653e9c0273b0f95ddf9ffa2ba23bd0b42063cd6b/flake.nix#L190


      
          
                 {
                   options = {
             
                   };
          
                   config = {
                     system.activationScripts.extraActivation.text = ''
                       # PAM settings
                       echo >&2 "setting up pam..."
                       ${mkSudoTouchIdAuthScript cfg.enableSudoTouchIdAuth}
                     '';
                   };
                 };
             };
          };
          }

So that’s what you need to fix.

waffle8946 · March 10, 2025, 5:26pm

That’s a string, a string is not an option. The problem line is mentioned above.

philcruz · March 10, 2025, 5:54pm

Thanks for clarifying the problematic line.

Could you tell me what I need to change to fix it?

I set up nix-darwin because I wanted to get away from managing 3 different machines manually. While I got it to work, I never have been able to really understand how it works and how to troubleshoot. I really want to but can’t seem to find docs that I can understand.

Every few months I go to do an update and I find myself down a rabbit hole when I just want to get on with other stuff.

Anyway, I appreciate the help so far but if you can tell me what I need to change that would be great. Even better if you can help me understand how to troubleshoot things better.

eblechschmidt · March 10, 2025, 6:13pm

Change the line

cfg = config.security.pam;

to

cfg = config.security.pam.services.sudo_local;.

and

the line

${mkSudoTouchIdAuthScript cfg.enableSudoTouchIdAuth}

to

${mkSudoTouchIdAuthScript cfg.touchIdAuth}.

That should do the trick. I don’t know why you wrote it in separate lines because you don’t seem to use cfg anywhere else but I leave that up to you.

philcruz · March 10, 2025, 8:22pm

Thanks!

That did the trick.

I don’t know why you wrote it in separate lines because you don’t seem to use cfg anywhere else

I did it that way because I just copied that set up from here.

gist.github.com

https://gist.github.com/jmatsushita/5c50ef14b4b96cb24ae5268dab613050

README

###
### [2023-06-19] UPDATE: Just tried to use my instructions again on a fresh install and it failed in a number of places. 
###.   Not sure if I'll update this gist (though I realise it seems to still have some traffic), but here's a list of 
###.   things to watch out for:
###      - Check out the `nix-darwin` instructions, as they have changed.
###      - There's a home manager gotcha https://github.com/nix-community/home-manager/issues/4026
###

# I found some good resources but they seem to do a bit too much (maybe from a time when there were more bugs).
# So here's a minimal Gist which worked for me as an install on a new M1 Pro.

This file has been truncated. show original

configuration.nix

{ pkgs, lib, ... }:
{
  # Nix configuration ------------------------------------------------------------------------------

  nix.binaryCaches = [
    "https://cache.nixos.org/"
  ];
  nix.binaryCachePublicKeys = [
    "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
  ];

This file has been truncated. show original

flake.nix

{
  description = "Jun's darwin system";

  inputs = {
    # Package sets
    nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-21.11-darwin";
    nixpkgs-unstable.url = github:NixOS/nixpkgs/nixpkgs-unstable;

    # Environment/system management
    darwin.url = "github:lnl7/nix-darwin/master";

This file has been truncated. show original

There are more than three files. show original

emily · March 10, 2025, 10:12pm

You should remove all of this. The upstream PR it is excerpted from was merged 2½ years ago, and the functionality has since been adjusted further.

I strongly recommend against pasting module/system activation code into your configuration without understanding them. Following outdated guides is a good way to end up with really confusing errors.

Edit:

It looks like you don’t even include security-pam in your configuration. So you can just remove all of that and then replace the option with the new one where you actually set it.

IIRC the nix-index module is also unnecessary as there is a module upstream in nix-index already.

philcruz · March 10, 2025, 10:46pm

@emily Thanks.

Yeah, I started using nix 2 years ago. I came across articles like Tutorial: Getting started with Home Manager for Nix | Mattia Gheda which gave enough example code to get things working.

I didn’t really understand but figured “just get it working and you can learn the details over time”. Unfortunately, learning the details over time has not happened but not due to lack of desire. I really want to learn/understand but haven’t yet been pointed to or found resources that help me move forward. (Flake vs not to flake is confusing for newbies as well.)

When I hit issues, people are super helpful, but they generally say "just do X " to fix it without giving all the background. Which is totally fine, I appreciate any help and there is no obligation to help me further.

Not sure why I have a hard time with Nix. I’m a software engineer, deal with package managers, AWS, DevOps, and such.

But if someone can point me to The Way that would be great…

waffle8946 · March 10, 2025, 11:21pm

Relying on blog posts from years ago will get you in trouble, nixpkgs changes too quickly for most of those things to be valid. Just get used to searching in https://search.nixos.org/options and possibly going through module code to see if your usecase is already covered by an option.

eblechschmidt · March 11, 2025, 7:39pm

Don’t worry you will get there. I’m a Mechanical Engineer and got there so you should be able to do it as well .

As @waffle8946 already wrote the key thing is reading code, a lot of code. Once I started looking at the implementation of the modules it clicked for me. And you get a feeling on how things are done.