fix(darwin): pam_reattach for Touch-ID sudo in tmux; trim dock defaults

Touch ID for sudo failed because pam_tid can't reach the GUI session
from inside tmux (terminals here auto-start tmux); enable sudo_local
reattach (pam_reattach) so the session is re-attached first. Also drop
the dock autohide and tilesize defaults.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

system/machine/Darwin/configuration.nix

@@ -145,17 +145,20 @@
 
   # Touch ID authorises sudo (and darwin-rebuild's sudo prompt) instead of a
   # typed password. sudo_local keeps the change in /etc/pam.d/sudo_local so it
-  # survives macOS updates.
+  # survives macOS updates. reattach pulls in pam_reattach: pam_tid (Touch ID)
-  security.pam.services.sudo_local.touchIdAuth = true;
+  # otherwise fails inside tmux/screen because the process is detached from the
+  # GUI login session -- and terminals here auto-start tmux, so it is required.
+  security.pam.services.sudo_local = {
+    touchIdAuth = true;
+    reattach = true;
+  };
 
   # Declarative macOS UI defaults -- the main reason to run nix-darwin beyond
   # package management. Applied on activation; all reversible.
   system.defaults = {
     dock = {
-      autohide = true;
       show-recents = false;
       mru-spaces = false; # don't reorder spaces by use
-      tilesize = 48;
     };
     finder = {
       AppleShowAllExtensions = true;