From 607679c6d3ff1c18b28f9cc61356d0c4d95378f3 Mon Sep 17 00:00:00 2001
From: nicoo <nicoo@mur.at>
Date: Sun, 24 Dec 2023 15:16:29 +0000
Subject: nixos/pam: Assert that `authorizedKeysFiles` is non-empty when using
 `pam_ssh_agent_auth`

---
 nixos/modules/security/pam.nix | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'nixos/modules/security')

diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index c99615d5a6362..2f777f874f23e 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -1456,6 +1456,13 @@ in
           `security.pam.zfs.enable` requires enabling ZFS (`boot.zfs.enabled` or `boot.zfs.enableUnstable`).
         '';
       }
+      {
+        assertion = config.security.pam.enableSSHAgentAuth -> config.services.openssh.authorizedKeysFiles != [];
+        message = ''
+          `security.pam.enableSSHAgentAuth` requires `services.openssh.authorizedKeysFiles` to be a non-empty list.
+          Did you forget to set `services.openssh.enable` ?
+        '';
+      }
     ];
 
     environment.systemPackages =
-- 
cgit 1.4.1