security.pam.services.sddm.gnupg doesn't work on NixOS

cruegge / pam-gnupg

Unlock GnuPG keys on login

GNU General Public License v3.0

268 stars 12 forks source link

security.pam.services.sddm.gnupg doesn't work on NixOS #50

Closed FF-AntiK closed 8 months ago

FF-AntiK commented 8 months ago

Here's the relevant part from configuration.nix:

security.pam.services.sddm.gnupg = {
  enable = true;
  storeOnly = true;
};

The resulting /etc/pam.d/sddm looks like this:

auth     substack login
account  include  login
password substack login
session  include  login

As you can see the relevant pam_gnupg.so lines are not appended. When I use security.pam.services.login.gnupg the pam_gnupg.so lines are correctly inserted into /etc/pam.d/login.

e-tho commented 8 months ago

+1, greetd is also affected.

cruegge commented 8 months ago

It's been a while since I worked with NixOS, but their PAM config is not as flexible as it should be. Some services (including sddm) override the PAM config completely, ignoring most options provided via security.pam.services.

If I remember correctly, the only workaround is copy-pasting the config I linked, and overriding it via mkForce.

I think this is a NixOS issue, so please open a ticket with them. I'm going to close this; if I'm mistaken, feel free to reopen.