From a164a0b4c571540289d4fd5d5bdbe3ca70e94f63 Mon Sep 17 00:00:00 2001
From: Nikolay Amiantov <ab@fmap.me>
Date: Sat, 3 Jan 2015 19:47:38 +0300
Subject: [PATCH] nixos/fprintd: add service and pam support

---
 nixos/modules/module-list.nix               |  1 +
 nixos/modules/security/pam.nix              | 11 +++++
 nixos/modules/services/security/fprintd.nix | 53 +++++++++++++++++++++
 3 files changed, 65 insertions(+)
 create mode 100644 nixos/modules/services/security/fprintd.nix

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 503dd87ad4d..cbac9b9765f 100755
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -306,6 +306,7 @@
   ./services/search/solr.nix
   ./services/security/clamav.nix
   ./services/security/fail2ban.nix
+  ./services/security/fprintd.nix
   ./services/security/fprot.nix
   ./services/security/frandom.nix
   ./services/security/haveged.nix
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index 844a9da0eb4..3b5dd41868b 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -54,6 +54,15 @@ let
         '';
       };
 
+      fprintAuth = mkOption {
+        default = config.services.fprintd.enable;
+        type = types.bool;
+        description = ''
+          If set, fingerprint reader will be used (if exists and
+          your fingerprints are enrolled).
+        '';
+      };
+
       sshAgentAuth = mkOption {
         default = false;
         type = types.bool;
@@ -179,6 +188,8 @@ let
               "auth required pam_tally.so"}
           ${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth)
               "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"}
+          ${optionalString cfg.fprintAuth
+              "auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"}
           ${optionalString cfg.usbAuth
               "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
           ${optionalString cfg.unixAuth
diff --git a/nixos/modules/services/security/fprintd.nix b/nixos/modules/services/security/fprintd.nix
new file mode 100644
index 00000000000..a35b065ba81
--- /dev/null
+++ b/nixos/modules/services/security/fprintd.nix
@@ -0,0 +1,53 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.services.fprintd;
+
+in
+
+
+{
+
+  ###### interface
+
+  options = {
+
+    services.fprintd = {
+
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to enable fprintd daemon and PAM module for fingerprint readers handling.
+        '';
+      };
+
+    };
+    
+  };
+  
+  
+  ###### implementation
+  
+  config = mkIf cfg.enable {
+
+    services.dbus.packages = [ pkgs.fprintd ];
+
+    environment.systemPackages = [ pkgs.fprintd ];
+
+    systemd.services.fprintd = {
+      description = "Fingerprint Authentication Daemon";
+
+      serviceConfig = {
+        Type = "dbus";
+        BusName = "net.reactivated.Fprint";
+        ExecStart = "${pkgs.fprintd}/libexec/fprintd";
+      };
+    };
+
+  };
+  
+}