| lockMessage = "This computer has been locked, please authenticate to continue"; |
| services.fprintd.enable = true; |
| environment.persistence."/nix/persist".directories = [ "/var/lib/fprint" ]; |
| security.auditd.enable = true; |
| services.syslogd.enable = true; |
| services.syslogd.extraConfig = '' |
| services.journald.forwardToSyslog = true; |
| killUnconfinedConfinables = true; |
| boot.initrd.availableKernelModules = [ |
| boot.initrd.luks.devices = { |
| nix.device = "/dev/disk/by-label/NIX"; |
| swap.device = "/dev/disk/by-label/SWAP"; |
| expansion0.device = "/dev/disk/by-label/EXPANSION0"; |
| source = ./security/lock.sh; |
| owner = config.users.users.root.name; |
| group = config.users.users.nobody.group; |
| source = ./security/onLock.sh; |
| owner = config.users.users.root.name; |
| group = config.users.users.nobody.group; |
| ${pkgs.systemd}/bin/systemd-inhibit --why="Already locked" --what=idle --who="lock script" ${config.security.wrapperDir}/lock |
| (lib.filter (line: line != "")) |
| (lib.concatStringsSep " && ") |
| (pkgs.writeScriptBin "lock" lockCommand) |