Skip to content

Commit

Permalink
update nix darwin to 23.05
Browse files Browse the repository at this point in the history
  • Loading branch information
@pcasaretto
pcasaretto committed Oct 18, 2023
1 parent a2254c1 commit 24f02eb
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 70 deletions.
69 changes: 2 additions & 67 deletions flake.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
inputs = {

# Package sets
nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-22.05-darwin";
nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-23.05-darwin";
nixpkgs-unstable.url = github:NixOS/nixpkgs/nixpkgs-unstable;

# Environment/system management
Expand Down Expand Up @@ -49,7 +49,7 @@
{
darwinConfigurations.overdose = darwin.lib.darwinSystem rec {
system = "aarch64-darwin";
modules = attrValues self.darwinModules ++ [
modules = [
# Main `nix-darwin` config
./configuration.nix
# `home-manager` module
Expand Down Expand Up @@ -85,70 +85,5 @@
};
};
};

# My `nix-darwin` modules that are pending upstream, or patched versions waiting on upstream
# fixes.
darwinModules = {
security-pam =
# Upstream PR: https://github.com/LnL7/nix-darwin/pull/228
{ config, lib, pkgs, ... }:

with lib;

let
cfg = config.security.pam;

# Implementation Notes
#
# We don't use `environment.etc` because this would require that the user manually delete
# `/etc/pam.d/sudo` which seems unwise given that applying the nix-darwin configuration requires
# sudo. We also can't use `system.patchs` since it only runs once, and so won't patch in the
# changes again after OS updates (which remove modifications to this file).
#
# As such, we resort to line addition/deletion in place using `sed`. We add a comment to the
# added line that includes the name of the option, to make it easier to identify the line that
# should be deleted when the option is disabled.
mkSudoTouchIdAuthScript = isEnabled:
let
file = "/etc/pam.d/sudo";
option = "security.pam.enableSudoTouchIdAuth";
in ''
${if isEnabled then ''
# Enable sudo Touch ID authentication, if not already enabled
if ! grep 'pam_tid.so' ${file} > /dev/null; then
sed -i "" '2i\
auth sufficient pam_tid.so # nix-darwin: ${option}
' ${file}
fi
'' else ''
# Disable sudo Touch ID authentication, if added by nix-darwin
if grep '${option}' ${file} > /dev/null; then
sed -i "" '/${option}/d' ${file}
fi
''}
'';
in

{
options = {
security.pam.enableSudoTouchIdAuth = mkEnableOption ''
Enable sudo authentication with Touch ID
When enabled, this option adds the following line to /etc/pam.d/sudo:
auth sufficient pam_tid.so
(Note that macOS resets this file when doing a system update. As such, sudo
authentication with Touch ID won't work after a system update until the nix-darwin
configuration is reapplied.)
'';
};

config = {
system.activationScripts.extraActivation.text = ''
# PAM settings
echo >&2 "setting up pam..."
${mkSudoTouchIdAuthScript cfg.enableSudoTouchIdAuth}
'';
};
};
};
};
}
7 changes: 4 additions & 3 deletions home.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,20 +29,21 @@

# Dev stuff
# (agda.withPackages (p: [ p.standard-library ]))
fd # fast find
babashka # clojure scripting
ctop # top for containers
coreutils # GNU coreutils
ctop # top for containers
curlie # curl helper
dbeaver # db client
devenv # Fast, Declarative, Reproducible, and Composable Developer Environments using Nix
dotenv # change env using a file for one off commands
dbeaver # db client
fd # fast find
fzf # fast fuzzy file finder
gnupg
google-cloud-sdk
jq # for handling json
kcat # cat for kafka
mosh # persistent ssh sessions
nodejs_20 # dependency for emacs Github Copilot
peco # choose options in cli scripts
ripgrep # searching files fast
rlwrap # wrap commands with a sane CLI
Expand Down

0 comments on commit 24f02eb

Please sign in to comment.