Replace physlock with vlock
diff --git a/modules/security.nix b/modules/security.nix
index 0f857d4..43b3042 100644
--- a/modules/security.nix
+++ b/modules/security.nix
@@ -26,16 +26,31 @@
services.physlock = {
inherit lockMessage;
- enable = true;
+ enable = false;
allowAnyUser = true;
};
+
+ security.wrappers = {
+ lock = {
+ source = ./security/lock.sh;
+ setuid = true;
+ owner = config.users.users.root.name;
+ group = config.users.users.nobody.group;
+ };
+ _onLock = {
+ source = ./security/onLock.sh;
+ setuid = false;
+ owner = config.users.users.root.name;
+ group = config.users.users.nobody.group;
+ };
+ };
};
home =
let
lockCommand =
lib.pipe ''
- ${pkgs.systemd}/bin/systemd-inhibit --why="Already locked" --what=idle --who="lock script" ${config.security.wrapperDir}/physlock -s -p "${lockMessage}"
+ ${pkgs.systemd}/bin/systemd-inhibit --why="Already locked" --what=idle --who="lock script" ${config.security.wrapperDir}/lock
'' [
(lib.splitString "\n")
(lib.filter (line: line != ""))
@@ -44,7 +59,7 @@
in
{
services.swayidle = {
- enable = true;
+ enable = false;
timeouts = [
{
timeout = 60;
@@ -54,6 +69,7 @@
};
home.packages = [
(pkgs.writeScriptBin "lock" lockCommand)
+ pkgs.kbd
];
};
}
diff --git a/modules/security/lock.sh b/modules/security/lock.sh
new file mode 100755
index 0000000..2210d2d
--- /dev/null
+++ b/modules/security/lock.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+openvt -sw /run/wrappers/bin/_onLock
diff --git a/modules/security/onLock.sh b/modules/security/onLock.sh
new file mode 100755
index 0000000..fb64361
--- /dev/null
+++ b/modules/security/onLock.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+read -r uid < /proc/self/loginuid ||:
+chown -h "$uid" "$(tty)";
+exec sudo -u "#$uid" -- vlock -a
diff --git a/packages/vlock.nix b/packages/vlock.nix
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/packages/vlock.nix
@@ -0,0 +1 @@
+