From 2009432a847ac990a8bc86b2b11db6c034ed925c Mon Sep 17 00:00:00 2001
From: Kyle Kneitinger <kyle@kneit.in>
Date: Mon, 21 Dec 2020 04:12:37 -0800
Subject: [PATCH] nixos/fprintd: option to inhibit PAM rule creation

Currently, `security.pam.services.<name>.fprintAuth`'s default value
is the value of `services.fprintd.enable`. Since many fingerprint
readers are located on laptops in such a way that they may be
inaccessible when the laptop lid is closed, it is tedious to undo this
default for commonly used services such as `sudo`, while keeping
occasional services like login or screen lockers. This commit adds the
`services.fprintd.global` (default: `true`), that prevents fprintd
PAM rules from being created for every service.  By having a default
value of `true`, every user's current configs will behave identically
to before if they choose to not set this option.
---
 nixos/modules/security/pam.nix              |  2 +-
 nixos/modules/services/security/fprintd.nix | 32 +++++++++------------
 2 files changed, 15 insertions(+), 19 deletions(-)

diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index a428103eaa963..fb3e21c30e5d6 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -125,7 +125,7 @@ let
       };
 
       fprintAuth = mkOption {
-        default = config.services.fprintd.enable;
+        default = config.services.fprintd.enable && config.services.fprintd.global;
         type = types.bool;
         description = ''
           If set, fingerprint reader will be used (if exists and
diff --git a/nixos/modules/services/security/fprintd.nix b/nixos/modules/services/security/fprintd.nix
index cbac4ef05b8d3..9b5b3a13f209e 100644
--- a/nixos/modules/services/security/fprintd.nix
+++ b/nixos/modules/services/security/fprintd.nix
@@ -3,25 +3,29 @@
 with lib;
 
 let
-
   cfg = config.services.fprintd;
-
 in
-
-
 {
-
   ###### interface
 
   options = {
-
     services.fprintd = {
-
       enable = mkOption {
         type = types.bool;
         default = false;
         description = ''
-          Whether to enable fprintd daemon and PAM module for fingerprint readers handling.
+          Whether to enable fprintd daemon and PAM module for fingerprint
+          readers handling.
+        '';
+      };
+
+      global = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whether to create <literal>fprintAuth</literal> PAM rules for all
+          services when <literal>services.fprintd.enable</literal> is
+          <literal>true</literal>.
         '';
       };
 
@@ -33,22 +37,14 @@ in
           fprintd package to use.
         '';
       };
-
     };
-
   };
 
 
   ###### implementation
-
   config = mkIf cfg.enable {
-
-    services.dbus.packages = [ pkgs.fprintd ];
-
-    environment.systemPackages = [ pkgs.fprintd ];
-
+    services.dbus.packages = [ cfg.package ];
+    environment.systemPackages = [ cfg.package ];
     systemd.packages = [ cfg.package ];
-
   };
-
 }