2 files changed, 9 insertions, 5 deletions

diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index 709bb8b94a65..b7e1ea526535 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -1531,6 +1531,10 @@ in
         (map (module: "mr ${module},"))
         concatLines
       ]);
-  };
 
+    security.sudo.extraConfig = optionalString config.security.pam.enableSSHAgentAuth ''
+      # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
+      Defaults env_keep+=SSH_AUTH_SOCK
+    '';
+    };
 }
diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix
index 4728a697de86..75dc2b52a52c 100644
--- a/nixos/modules/security/sudo.nix
+++ b/nixos/modules/security/sudo.nix
@@ -6,6 +6,8 @@ let
 
   cfg = config.security.sudo;
 
+  inherit (config.security.pam) enableSSHAgentAuth;
+
   toUserString = user: if (isInt user) then "#${toString user}" else "${user}";
   toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}";
 
@@ -207,10 +209,8 @@ in
       ''
         # Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
         # or ‘security.sudo.extraRules’ instead.
-
-        # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
-        Defaults env_keep+=SSH_AUTH_SOCK
-
+      ''
+      ''
         # "root" is allowed to do anything.
         root        ALL=(ALL:ALL) SETENV: ALL
       ''