Wayland screen lockers from Nixpkgs cannot authenticate against Ubuntu host PAM

[flexiondotorg]

Pre-submission checklist

• I have searched existing issues and this bug hasn't been reported previously
• I have tried reproducing this with the latest version

Bug Description

Screen lockers provisioned via Nixpkgs (swaylock, hyprlock, etc.) fail to authenticate when attempting to unlock the screen on Noughty Linux. The lockers can successfully lock the screen but cannot verify the user's password to unlock, effectively locking users out of their session.

Steps to Reproduce

1. Bootstrap Noughty Linux on Ubuntu Server following standard installation
2. Configure a Wayland compositor with a screen locker from Nixpkgs
3. Trigger the screen lock (e.g., via keybinding or swaylock command)
4. Attempt to unlock by entering user password
5. Authentication fails despite correct password

Expected Behavior

Screen locker should authenticate against the system's user credentials and unlock the session when the correct password is entered.

Screenshots or Videos

No response

Error Messages

No response

Additional Context

Authentication always fails, even with the correct password. Users must switch to another TTY and kill the lock process to regain access to their session.

Root Cause Analysis

The issue stems from the system boundary between Ubuntu and Nix, including some or all of the following:

1. Library mismatch: Nix-packaged screen lockers are built against Nix's PAM libraries, not Ubuntu's system PAM
2. PAM service configuration: The lockers expect PAM service files (e.g., /etc/pam.d/swaylock) that don't exist on the Ubuntu host
3. Missing privileges: Nix packages cannot be setuid on non-NixOS systems, preventing reading /etc/shadow
4. Path resolution: The Nix binaries cannot locate Ubuntu's PAM modules in /lib/x86_64-linux-gnu/security/

Potential Solutions

1. Wrapper Script Approach

Create a bridge wrapper that redirects Nix binaries to use system PAM:

#!/usr/bin/env bash
# /usr/local/bin/swaylock-system
export LD_LIBRARY_PATH="/lib/x86_64-linux-gnu:/lib/security:$LD_LIBRARY_PATH"
exec /nix/store/.../bin/swaylock "$@"

Combined with:

• PAM service file creation in /etc/pam.d/
• Capability setting: setcap cap_dac_read_search+ep
• Optional AppArmor profile for additional security

2. system-manager Integration

Extend system-manager configuration to:

• Deploy PAM service files
• Create wrapper scripts
• Manage capabilities post-activation

3. Ubuntu Package Fallback

Document and recommend installing screen lockers from Ubuntu repos as a workaround, though this breaks declarative configuration.

Possible Implementation

Add to ubuntu.just:

deploy-pam-bridges:
    #!/usr/bin/env bash
    # Create PAM service files
    for locker in swaylock hyprlock; do
        sudo tee /etc/pam.d/$locker << 'EOF'
        #%PAM-1.0
        auth include common-auth
        account include common-account
        EOF
    done
    
    # Deploy AppArmor profiles if needed
    # Set capabilities on wrapper scripts