pam: Do not use tally2 if faillock is present

From pam 1.4.0 release notes:

Deprecated pam_tally and pam_tally2: these modules are no longer built
by default and will be removed in the next release, use pam_faillock
instead.
https://github.com/linux-pam/linux-pam/releases/tag/v1.4.0

Fixes #1313

cmake/FindPAM.cmake

@@ -13,6 +13,7 @@ endif (PAM_INCLUDE_DIR AND PAM_LIBRARY)
 find_path(PAM_INCLUDE_DIR NAMES security/pam_appl.h pam/pam_appl.h)
 find_library(PAM_LIBRARY pam)
 find_library(DL_LIBRARY dl)
+find_library(HAVE_PAM_FAILLOCK NAME pam_faillock.so PATH_SUFFIXES security)
 
 if (PAM_INCLUDE_DIR AND PAM_LIBRARY)
 	set(PAM_FOUND TRUE)

services/CMakeLists.txt

@@ -10,6 +10,10 @@ else()
 endif()
 configure_file("${CMAKE_CURRENT_SOURCE_DIR}/sddm-greeter.pam.in" "${CMAKE_CURRENT_BINARY_DIR}/sddm-greeter.pam")
 
+if(HAVE_PAM_FAILLOCK)
+    install(FILES sddm-autologin.pam DESTINATION ${CMAKE_INSTALL_FULL_SYSCONFDIR}/pam.d RENAME sddm-autologin)
+else()
+    install(FILES sddm-autologin-tally2.pam DESTINATION ${CMAKE_INSTALL_FULL_SYSCONFDIR}/pam.d RENAME sddm-autologin)
+endif()
 install(FILES sddm.pam DESTINATION ${CMAKE_INSTALL_FULL_SYSCONFDIR}/pam.d RENAME sddm)
-install(FILES sddm-autologin.pam DESTINATION ${CMAKE_INSTALL_FULL_SYSCONFDIR}/pam.d RENAME sddm-autologin)
 install(FILES "${CMAKE_CURRENT_BINARY_DIR}/sddm-greeter.pam" DESTINATION ${CMAKE_INSTALL_FULL_SYSCONFDIR}/pam.d RENAME sddm-greeter)

services/sddm-autologin-tally2.pam

@@ -0,0 +1,13 @@
+#%PAM-1.0
+auth        required    pam_env.so
+auth        required    pam_tally2.so file=/var/log/tallylog onerr=succeed
+auth        required    pam_shells.so
+auth        required    pam_nologin.so
+auth        required    pam_permit.so
+-auth       optional    pam_gnome_keyring.so
+-auth       optional    pam_kwallet5.so
+account     include     system-local-login
+password    include     system-local-login
+session     include     system-local-login
+-session    optional    pam_gnome_keyring.so auto_start
+-session    optional    pam_kwallet5.so auto_start

services/sddm-autologin.pam

@@ -1,6 +1,6 @@
 #%PAM-1.0
 auth        required    pam_env.so
-auth        required    pam_tally2.so file=/var/log/tallylog onerr=succeed
+auth        required    pam_faillock.so preauth
 auth        required    pam_shells.so
 auth        required    pam_nologin.so
 auth        required    pam_permit.so