nixos/pam: switch to lastlog2

Adaptation of #282337 to use `util-linux` as `lastlog2` provider

Co-Authored-By: Maxine Aubrey <35892750+amaxine@users.noreply.github.com>

nixos/modules/security/pam.nix

@@ -1311,7 +1311,7 @@ let
                 name = "lastlog";
                 enable = cfg.updateWtmp;
                 control = "required";
-                modulePath = "${package}/lib/security/pam_lastlog.so";
+                modulePath = "${pkgs.util-linux.lastlog}/lib/security/pam_lastlog2.so";
                 settings = {
                   silent = true;
                 };
@@ -2311,6 +2311,12 @@ in
 
     environment.etc = lib.mapAttrs' makePAMService enabledServices;
 
+    systemd = lib.optionalAttrs config.security.pam.services.login.updateWtmp {
+      tmpfiles.packages = [ pkgs.util-linux.lastlog ]; # /lib/tmpfiles.d/lastlog2-tmpfiles.conf
+      services.lastlog2-import.enable = true;
+      packages = [ pkgs.util-linux.lastlog ]; # lib/systemd/system/lastlog2-import.service
+    };
+
     security.pam.services = {
       other.text = ''
         auth     required pam_warn.so