We introduced the gdm-fingerprint.pam in 9d41fe6fcc.
We used the [upstream Arch config] as a template, which contains an extended control field that jumps over **one** immediately-following `auth` rule unless `pam_gdm.so` succeeds.
But we decided to not include `pam_gnome_keyring.so` so there was no rule to skip over, resulting in a broken control flow and the PAM module failing with “PAM bad jump in stack”, breaking the fingerprint authentication in GDM.
Let’s actually add `pam_gnome_keyring.so`, like the Arch config does. Because we are creating the PAM file using the `text` option, `security.pam.services.gdm-fingerprint.enableGnomeKeyring` does not do anything so we need to do it manually.
For the case where gnome-keyring is not enabled, we could add a no-op rule like `optional pam_permit.so` after `pam_gdm.so` so that the branching always has something to jump over but it will be simpler to just make the both conditional. There are no further `auth` rules that could benefit from `pam_gdm.so` doing something so it should be fine.
Unlike in Arch, we are not going to invoke `pam_gnome_keyring.so` in a `session` rule since that is already done by the included `login` module.
[upstream Arch config]: 81ee658c11/data/pam-arch/gdm-fingerprint.pam
The `optional pam_permit.so` comes from the [upstream Arch config] we used as a template in 9d41fe6fcc. But I do not think it does anything in this position – see also the discussion at https://bbs.archlinux.org/viewtopic.php?id=245892 – so let’s just remove it.
Let’s also add a comment about disabling `fprintAuth` and a blank line for clarity.
[upstream Arch config]: 81ee658c11/data/pam-arch/gdm-fingerprint.pam
These have been deprecated since NixOS 20.03.
Also fixes evaluation error caused by moving
the `defaultSessionFromLegacyOptions` variable
in 6be2bfcc32
these changes were generated with nixq 0.0.2, by running
nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix
two mentions of the mdDoc function remain in nixos/, both of which
are inside of comments.
Since lib.mdDoc is already defined as just id, this commit is a no-op as
far as Nix (and the built manual) is concerned.
Some settings which where before inside the xserver module, are generic
and also required for SDDM under wayland. To make them easily re-usable
lets extract them.
- Build virtualbox guest additions from source and fix paths
- Install VBoxDRMClient to support resizing
- Support resizing on wayland and x11
- Adding multiple new options
- clipboard
- seamless
- Removing x11 option
- Support linux 6.8
[Motivation](https://github.com/NixOS/nixpkgs/issues/257817#issuecomment-1741705042):
- Having all the XKB options in the same attribute set clarifies their
relation better than using a common option name prefix ("xkb").
- `services.xserver.layout` is an XKB option, but this is not obvious
from its name. Putting it with the other XKB options clarifies this.
Co-authored-by: Michele Guerini Rocco <rnhmjoj@users.noreply.github.com>
This exposes the banner message option in GDM. Some computing
environments have compliance requirements which include displaying a
message to the user before logon.
This is not correct and will in fact break things because they try to run before the target is reached.
Ideally we'd get rid of it entirely, but WM users rely on this behavior, so allowlist some desktops
to get the sane behavior, and fake the session for the rest until upstreams/NixOS modules catch up.
If plymouth is not enabled, there is no plymouth-quit service created
otherwise, so setting systemd.services.plymouth-quit.wantedBy creates an
empty service which logs an error during bootup. The plymouth fix should
only be applied if plymouth is actually available to prevent a needless
systemd service error on systems with gdm but no plymouth (such as a
default gnome setup).
