pam_sduserdb: add support to security/pam

nixos/modules/security/pam.nix

@@ -628,6 +628,7 @@ let
           { name = "oslogin_login"; enable = cfg.googleOsLoginAccountVerification; control = "[success=ok ignore=ignore default=die]"; modulePath = "${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so"; }
           { name = "oslogin_admin"; enable = cfg.googleOsLoginAccountVerification; control = "[success=ok default=ignore]"; modulePath = "${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so"; }
           { name = "systemd_home"; enable = config.services.homed.enable; control = "sufficient"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; }
+          { name = "sd_userdb"; enable = config.security.pam.userdb.enable; control = "sufficient"; modulePath = "${pkgs.pam_sduserdb}/lib/security/pam_sduserdb.so"; }
           # The required pam_unix.so module has to come after all the sufficient modules
           # because otherwise, the account lookup will fail if the user does not exist
           # locally, for example with MySQL- or LDAP-auth.
@@ -702,6 +703,7 @@ let
                 inherit (cfg) nodelay;
                 likeauth = true;
               }; }
+              { name = "sd_userdb"; enable = config.security.pam.userdb.enable; control = "optional"; modulePath = "${pkgs.pam_sduserdb}/lib/security/pam_sduserdb.so"; }
               { name = "ecryptfs"; enable = config.security.pam.enableEcryptfs; control = "optional"; modulePath = "${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"; settings = {
                 unwrap = true;
               }; }
@@ -735,6 +737,7 @@ let
             likeauth = true;
             try_first_pass = true;
           }; }
+          { name = "sd_userdb"; enable = config.security.pam.userdb.enable; control = "sufficient"; modulePath = "${pkgs.pam_sduserdb}/lib/security/pam_sduserdb.so"; }
           { name = "otpw"; enable = cfg.otpwAuth; control = "sufficient"; modulePath = "${pkgs.otpw}/lib/security/pam_otpw.so"; }
           { name = "ldap"; enable = use_ldap; control = "sufficient"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; settings = {
             use_first_pass = true;
@@ -1104,6 +1107,16 @@ in
       };
     };
 
+    security.pam.userdb = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable login using accounts defined in the systemd user database
+        '';
+      };
+    };
+
     security.pam.p11 = {
       enable = mkOption {
         default = false;

pkgs/os-specific/linux/pam_sduserdb/default.nix

@@ -0,0 +1,24 @@
+{ lib, stdenv, fetchFromGitHub, pkg-config, meson, ninja, pam, libvarlink, libxcrypt }:
+
+stdenv.mkDerivation rec {
+  pname = "pam_sduserdb";
+  version = "0.1338";
+
+  src = fetchFromGitHub {
+    owner = "erincandescent";
+    repo = "pam_sduserdb";
+    rev = "babf7a88caac817ffbef7f7da3893fc96ea03a38";
+    hash = "sha256-PU8VsYri6DiIniWaVCQj8ACBYHLnA10NeRN0N2SMCHc=";
+  };
+
+  nativeBuildInputs = [ pkg-config meson ninja ];
+  buildInputs = [ pam libvarlink libxcrypt ];
+
+  meta = with lib; {
+    homepage = "https://github.com/erincandescent/pam_sduserdb";
+    description = "A PAM module for doing account management using the systemd user database";
+    license = licenses.bsd2;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [  ];
+  };
+}

pkgs/top-level/all-packages.nix

@@ -28354,6 +28354,8 @@ with pkgs;
 
   pam_rssh = callPackage ../os-specific/linux/pam_rssh { };
 
+  pam_sduserdb = callPackage ../os-specific/linux/pam_sduserdb { };
+
   pam_ssh_agent_auth = callPackage ../os-specific/linux/pam_ssh_agent_auth { };
 
   pam_tmpdir = callPackage ../os-specific/linux/pam_tmpdir { };