Instead of config.security.pam.services, this should be enabledServices.

I am not sure i agree. the lastlog importer service is gated behind the old lastlog db existing via a systemd condition. I did even consider just enabling the service unconditionally. Arguably, if someone has an old lastlog db but currently no pam service that updates lastlog, they might still want to be able to read that old db using the new tools, which requires the import. And having the impoorter around doesn't really hurt anything, because if there is nothing to import it just won't do anything.

That said, maybe this scenario is a bit niche, so i am willing to switch to enabledServices. I assume your point is to make the installed services as minimal as possible, in which case you do have a point.

Sorry for the mess, i now realize #429203 should have been split into two PRs: the util-linux output split and the PAM changes, with the pam changes waiting for a proper thorough review. If i had to do this again i'd do it differently.

I leave it to you to figure out whether the lastlog import should be conditional or unconditional - I have no idea!

But if you choose to make it conditional on whether any PAM service has updateWtmp, the correct way to do it is with enabledServices. Otherwise, we could be in a situation where an explicitly disabled PAM service (with no PAM rules file) is somehow influencing the system configuration.

I don't like that doing the obvious thing (reading config.security.pam.services) is the wrong thing, so I'm considering this a pam.nix rough edge that needs fixing. Using enabledServices in the meantime helps keep usage consistent.

fair enough. I'll draft a change to enabledServices, your reasoning is valid. But i don't think the current state is catastrophically broken, so this time we can wait for you to thoroughly review and discuss the changes.

Thanks! Agreed, it's more of a nitpick.