From b953cdb4be0b51687cf71ac45d97641d8b091d61 Mon Sep 17 00:00:00 2001 From: Cookiez Date: Wed, 25 Mar 2026 11:16:30 +0100 Subject: [PATCH] Fixed SDDM fingerprint not working. - Added a new custom flake input of pam_fprintd_grosshack so it accepts either password or fingerprint --- flake.lock | 38 ++++++++++++++++++++++++++++++++++++++ flake.nix | 7 +++++++ modules/configuration.nix | 19 +++++++++++++++++-- 3 files changed, 62 insertions(+), 2 deletions(-) diff --git a/flake.lock b/flake.lock index 3304778..7cb0d28 100644 --- a/flake.lock +++ b/flake.lock @@ -465,6 +465,43 @@ "type": "github" } }, + "pam-fprint-grosshack": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "pam-fprint-src": "pam-fprint-src" + }, + "locked": { + "lastModified": 1774432303, + "narHash": "sha256-IdsKBu1HV1mYJMVuAL0GJiWeEkMrdW691aW8D6Zr15I=", + "ref": "refs/heads/main", + "rev": "7ad351f85a92fee40806cb81777430c33499be41", + "revCount": 1, + "type": "git", + "url": "https://gitea.iateyourcookies.com/cookiez/nix-fprint-grosshack-flake.git" + }, + "original": { + "type": "git", + "url": "https://gitea.iateyourcookies.com/cookiez/nix-fprint-grosshack-flake.git" + } + }, + "pam-fprint-src": { + "flake": false, + "locked": { + "lastModified": 1658952526, + "narHash": "sha256-obczZbf/oH4xGaVvp3y3ZyDdYhZnxlCWvL0irgEYIi0=", + "owner": "mishakmak", + "repo": "pam-fprint-grosshack", + "rev": "45b42524fb5783e1e555067743d7e0f70d27888a", + "type": "gitlab" + }, + "original": { + "owner": "mishakmak", + "repo": "pam-fprint-grosshack", + "type": "gitlab" + } + }, "plasma-manager": { "inputs": { "home-manager": [ @@ -518,6 +555,7 @@ "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_2", "nixvim": "nixvim", + "pam-fprint-grosshack": "pam-fprint-grosshack", "plasma-manager": "plasma-manager", "quickshell": "quickshell", "stylix": "stylix", diff --git a/flake.nix b/flake.nix index 6088c89..982f262 100644 --- a/flake.nix +++ b/flake.nix @@ -42,6 +42,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + pam-fprint-grosshack = { + url = "git+https://gitea.iateyourcookies.com/cookiez/nix-fprint-grosshack-flake.git"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + nix-flatpak.url = "github:gmodena/nix-flatpak"; grub2-themes.url = "github:vinceliuice/grub2-themes"; @@ -50,6 +55,7 @@ outputs = inputs @ { nixpkgs, alejandra, + pam-fprint-grosshack, home-manager, plasma-manager, nixos-hardware, @@ -81,6 +87,7 @@ inherit system; inherit project; inherit alejandra; + pam-fprint-grosshack-pkg = pam-fprint-grosshack.packages.${system}.default; host = hostname; }; modules = diff --git a/modules/configuration.nix b/modules/configuration.nix index 2bd06ba..a94793c 100644 --- a/modules/configuration.nix +++ b/modules/configuration.nix @@ -13,6 +13,7 @@ host, version, system, + pam-fprint-grosshack-pkg, ... }: { #Assign Swap to the PC @@ -313,14 +314,28 @@ sudo.wheelNeedsPassword = false; pam.services = { - sddm.fprintAuth = false; #Because of the bug with 30 seconds on sddm login - sddm-autologin.fprintAuth = false; #Same as above login.fprintAuth = false; sudo.fprintAuth = false; #Disabled because of security risk: https://nvd.nist.gov/vuln/detail/cve-2024-37408 kscreenlocker.fprintAuth = true; polkit-1.fprintAuth = false; #Disabled because of security risk: https://nvd.nist.gov/vuln/detail/cve-2024-37408 kde.fprintAuth = false; hyprlock = {}; + + sddm = { + fprintAuth = false; # prevent NixOS from adding its own pam_fprintd block + + text = lib.mkForce '' + auth sufficient ${pam-fprint-grosshack-pkg}/lib/security/pam_fprintd_grosshack.so + auth sufficient pam_unix.so try_first_pass nullok + auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so + + account required pam_unix.so + password required pam_deny.so + + session required pam_unix.so + session optional ${pkgs.systemd}/lib/security/pam_systemd.so + ''; + }; }; };