swaylock isn't added to /etc/pam.d by default

[sagehane]

Issue description

swaylock isn't added to /etc/pam.d by default, causing the issue described in swaywm/sway#3631, at least when using a window manager different from Sway.

Steps to reproduce

Use a WM different from sway (such as river) and attempt using swaylock.

Temporary fix

It works as expected on sway because of this line:

nixpkgs/nixos/modules/programs/sway.nix

Line 135 in 2ddc335

security.pam.services.swaylock = {};

As such, adding the line above should circumvent the issue.

Technical details

$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 5.10.75, NixOS, 21.11 (Porcupine)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.3.16`
 - channels(root): `"nixos-21.11pre325514.a4bf4434570"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

[sagehane]

@primeos, you seem to be a maintainer of both that module and swaylock.

[primeos]

Unfortunately I see no good way to fix this. We could add a Swaylock module but I don't think that makes sense as users could just set security.pam.services.swaylock = {}; themselves (vs. programs.swaylock.enable = true).

Maybe a note in the description of the Swaylock package would help?

[sagehane]

Is there any reason why programs.swaylock.enable isn't better? At least it's 1 line in one area, as opposed to have two lines: one in system packages and one in security.

From the perspective of someone who never worked with another package that needed security.pam.services, I had to search the Sway issues to see what could be causing it, and then try to grep for random terms that seemed relevant in this repository. (Maybe I'm just ignorant and using NixOS wrong)

But yeah, a note in the description would be more than welcome than the status quo.

[primeos]

I forgot about the second line for environment.systemPackages. In that case programs.swaylock.enable might be worth it. I just wish we had better formal policies that document when it's worth to add a new module (because we obviously do not want new modules for every single package). The best option might be to just open a PR and hope that it gets a few reviews.

[Artturin]

as an alternative for these very simple modules (which slow down eval) we could add an section to the nixos manual
see: #137168

[sagehane]

I'm honestly fine with any of the proposed solutions, granted it reduces confusion for other users in the future. I honestly feel like I already accomplished half of what I wanted to do by simply opening this issue for others to search.

However, I do find it worth noting that as Wayland gains more traction, more people would probably come across this issue when they try niche window managers or lockers. And having a module for every window manager/screen locker does indeed sound like a pain.

[mohe2015]

Modules have the advantage that they isolate the implementation, e.g if the pam thing will work differently in the future we could just change it there. Still probably not worth in in this case and fixing the module evaluation slowdown is probably not happening soon.

[stale]

I marked this as stale due to inactivity. → More info

[revuwa]

Tried the set the PAM file, (as it was created by programs.sway.enable = true; before) manually:

  security.pam.services.swaylock.text = ''
    # Account management.
    account required pam_unix.so

    # Authentication management.
    auth sufficient pam_unix.so   likeauth try_first_pass
    auth required pam_deny.so

    # Password management.
    password sufficient pam_unix.so nullok sha512

    # Session management.
    session required pam_env.so conffile=/etc/pam/environment readenv=0
    session required pam_unix.so
  '';

and it works (without sway.enable); in my case under hyprland.
Possibly this could (temporary) help others, too.

I'm always grateful for better suggestions.

[niksingh710]

security.pam.services.swaylock.text = ''
# Account management.
account required pam_unix.so

# Authentication management.
auth sufficient pam_unix.so   likeauth try_first_pass
auth required pam_deny.so

# Password management.
password sufficient pam_unix.so nullok sha512

# Session management.
session required pam_env.so conffile=/etc/pam/environment readenv=0
session required pam_unix.so

'';

tysm mate this helped.