feat(Auth): Unify shared PAM sync across greeter & lockscreen

- Add a neutral `dms auth sync` command and reuse the shared auth flow from: - Settings auth toggle auto-apply - `dms greeter sync` - `dms greeter install` - greeter auth cleanup paths - Rework lockscreen PAM so DMS builds /etc/pam.d/dankshell from the system login stack, but removes fingerprint and U2F from that password path. Keep /etc/pam.d/dankshell-u2f separate. - Preserve custom PAM files in place to avoid adding duplicate greeter auth when the distro already provides it, and keep NixOS on the non-writing path.
2026-04-03 20:32:07 -04:00 · 2026-03-27 12:52:08 -04:00
parent 521a3fa6e8
commit e7ee26ce74
17 changed files with 1968 additions and 514 deletions
--- a/distro/nix/greeter.nix
+++ b/distro/nix/greeter.nix
@@ -139,6 +139,13 @@ in
        '';
      }
    ];
+    # DMS currently relies on /etc/pam.d/login for lock screen password auth on NixOS.
+    # Declare security.pam.services.dankshell only if you want to override that runtime fallback.
+    # U2F and fingerprint are handled separately by DMS — do not add pam_u2f or pam_fprintd here.
+    # security.pam.services.dankshell = {
+    #   # Example: add faillock
+    #   faillock.enable = true;
+    # };
    services.greetd = {
      enable = lib.mkDefault true;
      settings.default_session.command = lib.mkDefault (lib.getExe greeterScript);