diff --git a/system/machine/Darwin/configuration.nix b/system/machine/Darwin/configuration.nix
index 15c0104..617728a 100644
--- a/system/machine/Darwin/configuration.nix
+++ b/system/machine/Darwin/configuration.nix
@@ -145,17 +145,20 @@
 
   # Touch ID authorises sudo (and darwin-rebuild's sudo prompt) instead of a
   # typed password. sudo_local keeps the change in /etc/pam.d/sudo_local so it
-  # survives macOS updates.
-  security.pam.services.sudo_local.touchIdAuth = true;
+  # survives macOS updates. reattach pulls in pam_reattach: pam_tid (Touch ID)
+  # otherwise fails inside tmux/screen because the process is detached from the
+  # GUI login session -- and terminals here auto-start tmux, so it is required.
+  security.pam.services.sudo_local = {
+    touchIdAuth = true;
+    reattach = true;
+  };
 
   # Declarative macOS UI defaults -- the main reason to run nix-darwin beyond
   # package management. Applied on activation; all reversible.
   system.defaults = {
     dock = {
-      autohide = true;
       show-recents = false;
       mru-spaces = false; # don't reorder spaces by use
-      tilesize = 48;
     };
     finder = {
       AppleShowAllExtensions = true;