nixos/pam: create wtmp/lastlog iff using pam_lastlog

I think pam_lastlog is the only thing that writes to these files in practice on a modern Linux system, so in a configuration that doesn't use that module, we don't need to create these files. I used tmpfiles.d instead of activation snippets to create the logs. It's good enough for upstream and other distros; it's probably good enough for us.
author: Jamey Sharp <jamey@minilop.net> 2018-09-29 23:30:02 -0700
committer: Jamey Sharp <jamey@minilop.net> 2018-09-30 11:08:12 -0700
commit: b63f65aea0dea11c20e9299210af1d2ee4299b58 (patch)
tree: 147d0ddcbf8bf7131c922707ec5abf4816878775 /nixos/modules/security
parent: 188bdfb95d7218b931f7d605ad0a5e6961dc3a34 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index bef10b4fe614..926c6d77d3bb 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -548,6 +548,13 @@ in
     environment.etc =
       mapAttrsToList (n: v: makePAMService v) config.security.pam.services;
 
+    systemd.tmpfiles.rules = optionals
+      (any (s: s.updateWtmp) (attrValues config.security.pam.services))
+      [
+        "f /var/log/wtmp"
+        "f /var/log/lastlog"
+      ];
+
     security.pam.services =
       { other.text =
           ''
author	Jamey Sharp <jamey@minilop.net>	2018-09-29 23:30:02 -0700
committer	Jamey Sharp <jamey@minilop.net>	2018-09-30 11:08:12 -0700
commit	b63f65aea0dea11c20e9299210af1d2ee4299b58 (patch)
tree	147d0ddcbf8bf7131c922707ec5abf4816878775 /nixos/modules/security
parent	188bdfb95d7218b931f7d605ad0a5e6961dc3a34 (diff)