From f3cd67c5b79544706a5a4bc057758d208f950c35 Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Sun, 10 Aug 2025 18:55:04 +0200
Subject: nixos/pam: enable lastlog2 import service if any pam service uses
 lastlog

---
 nixos/modules/security/pam.nix | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index fb42bba9d01c..a02bf460a9eb 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -2311,11 +2311,14 @@ in
 
     environment.etc = lib.mapAttrs' makePAMService enabledServices;
 
-    systemd = lib.optionalAttrs config.security.pam.services.login.updateWtmp {
-      tmpfiles.packages = [ pkgs.util-linux.lastlog ]; # /lib/tmpfiles.d/lastlog2-tmpfiles.conf
-      services.lastlog2-import.enable = true;
-      packages = [ pkgs.util-linux.lastlog ]; # lib/systemd/system/lastlog2-import.service
-    };
+    systemd =
+      lib.optionalAttrs
+        (lib.any (service: service.updateWtmp) (lib.attrValues config.security.pam.services))
+        {
+          tmpfiles.packages = [ pkgs.util-linux.lastlog ]; # /lib/tmpfiles.d/lastlog2-tmpfiles.conf
+          services.lastlog2-import.enable = true;
+          packages = [ pkgs.util-linux.lastlog ]; # lib/systemd/system/lastlog2-import.service
+        };
 
     security.pam.services = {
       other.text = ''
-- 
cgit v1.2.3


From a1d47a4ca33675e48868a6eb6dff57b0c448a22d Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Mon, 11 Aug 2025 10:32:11 +0200
Subject: nixos/pam: fix lastlog2 import service

---
 nixos/modules/security/pam.nix | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index a02bf460a9eb..abc632c1c07d 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -2316,7 +2316,21 @@ in
         (lib.any (service: service.updateWtmp) (lib.attrValues config.security.pam.services))
         {
           tmpfiles.packages = [ pkgs.util-linux.lastlog ]; # /lib/tmpfiles.d/lastlog2-tmpfiles.conf
-          services.lastlog2-import.enable = true;
+          services.lastlog2-import = {
+            enable = true;
+            wantedBy = [ "default.target" ];
+            after = [
+              "local-fs.target"
+              "systemd-tmpfiles-setup.service"
+            ];
+            # TODO: ${pkgs.util-linux.lastlog}/lib/systemd/system/lastlog2-import.service
+            # uses unpatched /usr/bin/mv, needs to be fixed on staging
+            # in the meantime, use a service drop-in here
+            serviceConfig.ExecStartPost = [
+              ""
+              "${lib.getExe' pkgs.coreutils "mv"} /var/log/lastlog /var/log/lastlog.migrated"
+            ];
+          };
           packages = [ pkgs.util-linux.lastlog ]; # lib/systemd/system/lastlog2-import.service
         };
 
-- 
cgit v1.2.3


From 122c5aa7d98f912aadc2c6d1e7dd2db1dc5f5323 Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Sun, 10 Aug 2025 19:30:28 +0200
Subject: nixos/tests/pam-lastlog: test legacy lastlog importer

---
 nixos/tests/pam/pam-lastlog.nix | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/nixos/tests/pam/pam-lastlog.nix b/nixos/tests/pam/pam-lastlog.nix
index 837c84e1e601..cefc8a3d4e45 100644
--- a/nixos/tests/pam/pam-lastlog.nix
+++ b/nixos/tests/pam/pam-lastlog.nix
@@ -13,9 +13,18 @@
     };
 
   testScript = ''
-    machine.wait_for_unit("multi-user.target")
-    machine.succeed("run0 --pty true") # perform full login
-    print(machine.succeed("lastlog2 --active --user root"))
-    machine.succeed("stat /var/lib/lastlog/lastlog2.db")
+    with subtest("Test legacy lastlog import"):
+      # create old lastlog file to test import
+      # empty = nothing will actually be imported, but the service will run
+      machine.succeed("touch /var/log/lastlog")
+      machine.wait_for_unit("lastlog2-import.service")
+      machine.succeed("journalctl -b --grep 'Starting Import lastlog data into lastlog2 database'")
+      machine.succeed("stat /var/log/lastlog.migrated")
+
+    with subtest("Test lastlog entries are created by logins"):
+      machine.wait_for_unit("multi-user.target")
+      machine.succeed("run0 --pty true") # perform full login
+      print(machine.succeed("lastlog2 --active --user root"))
+      machine.succeed("stat /var/lib/lastlog/lastlog2.db")
   '';
 }
-- 
cgit v1.2.3