From 727119f8c7420879e83ffc310b8c1f4fa2800c11 Mon Sep 17 00:00:00 2001
From: Coosis <1159727122@qq.com>
Date: Tue, 25 Feb 2025 21:50:55 +0800
Subject: [PATCH] pam: add `pam_watchid` support

---
 modules/security/pam.nix | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/modules/security/pam.nix b/modules/security/pam.nix
index 1ecea92..e671e23 100644
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@@ -35,6 +35,17 @@ in
         '';
       };
 
+      watchIdAuth = lib.mkEnableOption "" // {
+        description = ''
+          Use Apple Watch for sudo authentication, for devices without Touch ID or 
+          laptops with lids closed, consider using this.
+
+          When enabled, you can use your Apple Watch to authenticate sudo commands.
+          If this doesn't work, you can go into `System Settings > Touch ID & Password`
+          and toggle the switch for your Apple Watch.
+        '';
+      };
+
       reattach = lib.mkEnableOption "" // {
         description = ''
           Whether to enable reattaching a program to the user's bootstrap session.
@@ -53,6 +64,7 @@ in
     security.pam.services.sudo_local.text = lib.concatLines (
       (lib.optional cfg.reattach "auth       optional       ${pkgs.pam-reattach}/lib/pam/pam_reattach.so")
       ++ (lib.optional cfg.touchIdAuth "auth       sufficient     pam_tid.so")
+      ++ (lib.optional cfg.watchIdAuth "auth       sufficient     ${pkgs.pam-watchid}/lib/pam_watchid.so")
     );
 
     environment.etc."pam.d/sudo_local" = {