service/pam: add pam service

src/services/pam/module.md

@@ -0,0 +1,67 @@
+name = "Quickshell.Services.Pam"
+description = "Pam authentication"
+headers = [
+	"qml.hpp",
+	"conversation.hpp",
+]
+-----
+
+## Writing pam configurations
+
+It is a good idea to write pam configurations specifically for quickshell
+if you want to do anything other than match the default login flow.
+
+A good example of this is having a configuration that allows entering a password
+or fingerprint in any order.
+
+### Structure of a pam configuration.
+Pam configuration files are a list of rules, each on a new line in the following form:
+```
+<type> <control_flag> <module_path> [options]
+```
+
+Each line runs in order.
+
+PamContext currently only works with the `auth` type, as other types require root
+access to check.
+
+#### Control flags
+The control flags you're likely to use are `required` and `sufficient`.
+- `required` rules must pass for authentication to succeed.
+- `sufficient` rules will bypass any remaining rules and return on success.
+
+Note that you should have at least one required rule or pam will fail with an undocumented error.
+
+#### Modules
+Pam works with a set of modules that handle various authentication mechanisms.
+Some common ones include `pam_unix.so` which handles passwords and `pam_fprintd.so`
+which handles fingerprints.
+
+These modules have options but none are required for basic functionality.
+
+### Examples
+
+Authenticate with only a password:
+```
+auth required pam_unix.so
+```
+
+Authenticate with only a fingerprint:
+```
+auth required pam_fprintd.so
+```
+
+Try to authenticate with a fingerprint first, but if that fails fall back to a password:
+```
+auth sufficient pam_fprintd.so
+auth required pam_unix.so
+```
+
+Require both a fingerprint and a password:
+```
+auth required pam_fprintd.so
+auth required pam_unix.so
+```
+
+
+See also: [Oracle: PAM configuration file](https://docs.oracle.com/cd/E19683-01/816-4883/pam-32/index.html)