From 11ea44f3e20737004f7c0f1d27354b9d7a79c2f5 Mon Sep 17 00:00:00 2001
From: Michael Hoang <enzime@users.noreply.github.com>
Date: Thu, 20 Feb 2025 17:52:40 +0700
Subject: [PATCH] pam: add `pam_reattach` support

Co-Authored-By: Andrew Lubawy <andrew@andrewlubawy.com>
---
 modules/security/pam.nix | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/modules/security/pam.nix b/modules/security/pam.nix
index 58dff01..1ecea92 100644
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@@ -34,11 +34,26 @@ in
           your Apple Watch.
         '';
       };
+
+      reattach = lib.mkEnableOption "" // {
+        description = ''
+          Whether to enable reattaching a program to the user's bootstrap session.
+
+          This fixes Touch ID for sudo not working inside tmux and screen.
+
+          This allows programs like tmux and screen that run in the background to
+          survive across user sessions to work with PAM services that are tied to the
+          bootstrap session.
+        '';
+      };
     };
   };
 
   config = {
-    security.pam.services.sudo_local.text = lib.optionalString cfg.touchIdAuth "auth       sufficient     pam_tid.so";
+    security.pam.services.sudo_local.text = lib.concatLines (
+      (lib.optional cfg.reattach "auth       optional       ${pkgs.pam-reattach}/lib/pam/pam_reattach.so")
+      ++ (lib.optional cfg.touchIdAuth "auth       sufficient     pam_tid.so")
+    );
 
     environment.etc."pam.d/sudo_local" = {
       inherit (cfg) enable text;