From 8742134c80539b3f8e9c7c51b13a225a92e97b9a Mon Sep 17 00:00:00 2001
From: nicoo <nicoo@mur.at>
Date: Mon, 4 Sep 2023 21:06:12 +0000
Subject: [PATCH] nixos/sudo: Only keep SSH_AUTH_SOCK if used for
 authentication

This will make compatibility with `sudo-rs` easier.
---
 nixos/modules/security/sudo.nix | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix
index ad7d43d2682b..eeb2f0dda8b2 100644
--- a/nixos/modules/security/sudo.nix
+++ b/nixos/modules/security/sudo.nix
@@ -6,6 +6,10 @@ let
 
   cfg = config.security.sudo;
 
+  enableSSHAgentAuth =
+    with config.security;
+    pam.enableSSHAgentAuth && pam.sudo.sshAgentAuth;
+
   inherit (pkgs) sudo;
 
   toUserString = user: if (isInt user) then "#${toString user}" else "${user}";
@@ -210,10 +214,10 @@ in
         # Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
         # or ‘security.sudo.extraRules’ instead.
       ''
-      ''
+      (optionalString enableSSHAgentAuth ''
         # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
         Defaults env_keep+=SSH_AUTH_SOCK
-      ''
+      '')
       ''
         # "root" is allowed to do anything.
         root        ALL=(ALL:ALL) SETENV: ALL