ctucx.git: nixfiles

modules/nixos/gnome: improve pam foo

diff --git a/modules/nixos/gnome.nix b/modules/nixos/gnome.nix
@@ -302,28 +302,70 @@ in {
     };
 
     # GDM LFS PAM modules, adapted somehow to NixOS
-    security.pam.services.gdm-launch-environment.text = ''
-      auth     required       pam_succeed_if.so audit quiet_success user = gdm
-      auth     optional       pam_permit.so
-
-      account  required       pam_succeed_if.so audit quiet_success user = gdm
-      account  sufficient     pam_unix.so
-
-      password required       pam_deny.so
-
-      session  required       pam_succeed_if.so audit quiet_success user = gdm
-      session  required       pam_env.so conffile=/etc/pam/environment readenv=0
-      session  optional       ${config.systemd.package}/lib/security/pam_systemd.so
-      session  optional       pam_keyinit.so force revoke
-      session  optional       pam_permit.so
-    '';
+    security.pam.services = {
+      gdm-launch-environment.text = ''
+        auth     required       pam_succeed_if.so audit quiet_success user = gdm
+        auth     optional       pam_permit.so
+
+        account  required       pam_succeed_if.so audit quiet_success user = gdm
+        account  sufficient     pam_unix.so
+
+        password required       pam_deny.so
+
+        session  required       pam_succeed_if.so audit quiet_success user = gdm
+        session  required       pam_env.so conffile=/etc/pam/environment readenv=0
+        session  optional       ${config.systemd.package}/lib/security/pam_systemd.so
+        session  optional       pam_keyinit.so force revoke
+        session  optional       pam_permit.so
+      '';
+
+      gdm-password.text = ''
+        auth      substack      login
+        account   include       login
+        password  substack      login
+        session   include       login
+      '';
+
+      gdm-autologin.text = ''
+        auth      requisite     pam_nologin.so
+        auth      required      pam_succeed_if.so uid >= 1000 quiet
+        ${lib.optionalString config.security.pam.services.login.enableGnomeKeyring ''
+          auth       [success=ok default=1]      ${pkgs.gdm}/lib/security/pam_gdm.so
+          auth       optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so
+        ''}
+        auth      required      pam_permit.so
+
+        account   sufficient    pam_unix.so
+
+        password  requisite     pam_unix.so nullok yescrypt
+
+        session   optional      pam_keyinit.so revoke
+        session   include       login
+      '';
+
+      # This would block password prompt when included by gdm-password.
+      # GDM will instead run gdm-fingerprint in parallel.
+      login.fprintAuth = lib.mkIf config.services.fprintd.enable false;
+
+      gdm-fingerprint.text = lib.mkIf config.services.fprintd.enable ''
+        auth       required                    pam_shells.so
+        auth       requisite                   pam_nologin.so
+        auth       requisite                   pam_faillock.so      preauth
+        auth       required                    ${pkgs.fprintd}/lib/security/pam_fprintd.so
+        auth       required                    pam_env.so
+        ${lib.optionalString config.security.pam.services.login.enableGnomeKeyring ''
+          auth       [success=ok default=1]      ${pkgs.gdm}/lib/security/pam_gdm.so
+          auth       optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so
+        ''}
+
+        account    include                     login
+
+        password   required                    pam_deny.so
+
+        session    include                     login
+      '';
+    };
 
-    security.pam.services.gdm-password.text = ''
-      auth      substack      login
-      account   include       login
-      password  substack      login
-      session   include       login
-    '';
   };
 
 }