infrastructure/modules/nixos/sssd/pam.nix

{
  config,
  lib,
  gensokyo-zone,
  ...
}: let
  inherit (gensokyo-zone.lib) mkAlmostForce;
  inherit (lib.options) mkOption;
  inherit (lib.modules) mkIf;
  inherit (lib.attrsets) genAttrs;
  cfg = config.services.sssd;
  pamRulesModule = { ... }: let
    rules = [ "account" "auth" "password" "session" ];
    mkRuleConfig = ruleName: {
      sss = mkIf cfg.enable {
        enable = mkIf (!cfg.services.pam.enable) (mkAlmostForce false);
      };
    };
  in {
    config = genAttrs rules mkRuleConfig;
  };
  pamServiceModule = { ... }: {
    options = with lib.types; {
      rules = mkOption {
        type = submodule pamRulesModule;
      };
    };
  };
in {
  options.security.pam = with lib.types; {
    services = mkOption {
      type = attrsOf (submodule pamServiceModule);
    };
  };
}