From 9d41fe6fcc4df838a56b1cfb2512b65e5e655958 Mon Sep 17 00:00:00 2001
From: Maxine Aubrey <max@ine.dev>
Date: Tue, 23 Apr 2024 18:58:49 +0200
Subject: [PATCH] nixos/gdm: add fingerprint pam rules

Signed-off-by: John Titor <50095635+JohnRTitor@users.noreply.github.com>
---
 .../services/x11/display-managers/gdm.nix        | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix
index 107a2f164792..51ab08e74f86 100644
--- a/nixos/modules/services/x11/display-managers/gdm.nix
+++ b/nixos/modules/services/x11/display-managers/gdm.nix
@@ -321,6 +321,22 @@ in
         session   include       login
       '';
 
+      login.fprintAuth = mkIf config.services.fprintd.enable false;
+      gdm-fingerprint.text = mkIf config.services.fprintd.enable ''
+        auth       required                    pam_shells.so
+        auth       requisite                   pam_nologin.so
+        auth       requisite                   pam_faillock.so      preauth
+        auth       required                    ${pkgs.fprintd}/lib/security/pam_fprintd.so
+        auth       optional                    pam_permit.so
+        auth       required                    pam_env.so
+        auth       [success=ok default=1]      ${pkgs.gnome.gdm}/lib/security/pam_gdm.so
+
+        account    include                     login
+
+        password   required                    pam_deny.so
+
+        session    include                     login
+      '';
     };
 
   };