From 51a3a10701df92dc48278ece4a887492b561539e Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Thu, 29 May 2025 08:36:25 +0200
Subject: [PATCH] feat: add fingerprint reader setup and management
 instructions

---
 README.md                        | 59 ++++++++++++++++++++++++++++++++
 hosts/nb/modules/fingerprint.nix | 16 +++++++++
 2 files changed, 75 insertions(+)

diff --git a/README.md b/README.md
index 4015f7c..6cd2263 100644
--- a/README.md
+++ b/README.md
@@ -58,3 +58,62 @@ umask 0077; wg genpsk > psk
 ```console
 nix hash to-sri --type sha256 $(nix-prefetch-url https://tar.gz)
 ```
+
+# 8. Fingerprint Reader Setup (e.g., on Framework Laptop with Goodix reader)
+
+This section assumes you have configured fingerprint support in your NixOS configuration, for example, by creating and importing a module like `hosts/nb/modules/fingerprint.nix` with the following content:
+
+```nix
+# hosts/nb/modules/fingerprint.nix
+{ config, pkgs, ... }:
+
+{
+  services.fprintd.enable = true;
+
+  security.pam.services.login.fprintAuth = true;
+  security.pam.services.sudo.fprintAuth = true;
+  # Add other services like swaylock if needed
+  # security.pam.services.swaylock.fprintAuth = true;
+}
+```
+
+After rebuilding your NixOS configuration (`sudo nixos-rebuild switch`), you can enroll fingerprints for a user.
+
+## Enrolling Fingerprints
+
+To enroll a fingerprint for the current user:
+```console
+fprintd-enroll
+```
+Or for a specific user (e.g., `dominik`):
+```console
+fprintd-enroll dominik
+```
+Follow the on-screen prompts to scan your fingerprint multiple times.
+
+## Verifying Enrollment
+You can verify enrolled fingerprints:
+```console
+fprintd-verify
+```
+
+## Listing Enrolled Fingerprints
+To see which fingers are enrolled for the current user:
+```console
+fprintd-list $(whoami)
+```
+Or for a specific user:
+```console
+fprintd-list dominik
+```
+
+## Deleting Fingerprints
+To delete all fingerprints for the current user:
+```console
+fprintd-delete $(whoami)
+```
+Or for a specific user:
+```console
+fprintd-delete dominik
+```
+You can also delete specific fingerprints by their ID if you know it.
diff --git a/hosts/nb/modules/fingerprint.nix b/hosts/nb/modules/fingerprint.nix
index 03647b6..d26a50d 100644
--- a/hosts/nb/modules/fingerprint.nix
+++ b/hosts/nb/modules/fingerprint.nix
@@ -5,5 +5,21 @@
 
   security.pam.services.login.fprintAuth = true;
   security.pam.services.sudo.fprintAuth = true;
+  security.pam.services.sddm.fprintAuth = true;
+  # If you use swaylock and want fingerprint auth for it:
   security.pam.services.swaylock.fprintAuth = true;
+  # Add Polkit rule to allow locally active users to manage their own fingerprints
+  security.polkit.extraConfig = ''
+    polkit.addRule(function(action, subject) {
+      if (action.id == "net.reactivated.fprint.device.enroll" ||
+          action.id == "net.reactivated.fprint.device.verify" ||
+          action.id == "net.reactivated.fprint.device.delete" ||
+          action.id == "net.reactivated.fprint.device.list") {
+        // Allow active, local users to manage their own fingerprints
+        if (subject.active && subject.local) {
+          return polkit.Result.YES;
+        }
+      }
+    });
+  '';
 }
\ No newline at end of file