Gitiles
Code Review Sign In
git.clicks.codes / Minion / NixFiles / 3c6b6d64e38dd976085e43489ed0c45ab754b2d4 / . / modules / security.nix
blob: 3bc5cb49a8b03b64722a0dd9edeebb69ce1faebe [file] [log] [blame]
Skyler Grey6aa7c262022-08-20 22:22:03 +0100[diff] [blame]1{
Skyler Grey91935932022-09-01 23:43:06 +0100[diff] [blame]2 lib,
3 pkgs,
4 config,
5 ...
6}: let
7 lockMessage = "This computer has been locked, please enter your password to continue";
8in {
Skyler Greyff3c6a22022-08-21 07:25:02 +0100[diff] [blame]9 config = {
10 security.apparmor = {
11 enable = true;
12 killUnconfinedConfinables = true;
13 };
14
15 boot.initrd.availableKernelModules = [
16 "aesni_intel"
17 "cryptd"
18 ];
19
20 boot.initrd.luks.devices = {
Skyler Grey91935932022-09-01 23:43:06 +0100[diff] [blame]21 nix.device = "/dev/disk/by-label/NIX";
22 swap.device = "/dev/disk/by-label/SWAP";
23 hdd.device = "/dev/disk/by-label/HDD";
Skyler Grey0fa154f2022-08-21 07:30:37 +0100[diff] [blame]24 };
Skyler Grey91935932022-09-01 23:43:06 +0100[diff] [blame]25
26 services.physlock = {
27 inherit lockMessage;
28 enable = true;
29 allowAnyUser = true;
30 };
31 };
32
33 home = let
34 lockCommand = lib.pipe ''
35 ${pkgs.sway}/bin/swaymsg output "*" dpms off
36 ${config.security.wrapperDir}/physlock -s -p "${lockMessage}"
37 while [ $(${pkgs.sway}/bin/swaymsg -t get_seats | ${pkgs.jq}/bin/jq "[.[] | .capabilities] | max") -eq 0 ]; do ${pkgs.coreutils}/bin/sleep 0.1; done
38 ${pkgs.sway}/bin/swaymsg output "*" dpms on
39 '' [
40 (lib.splitString "\n")
41 (lib.filter (line: line != ""))
42 (lib.concatStringsSep " && ")
43 ];
44 in {
45 services.swayidle = {
46 enable = true;
47 timeouts = [
48 {
49 timeout = 60;
50 command = lockCommand;
51 }
52 ];
53 };
54 home.packages = [
55 (pkgs.writeScriptBin "lock" lockCommand)
56 ];
Skyler Grey6aa7c262022-08-20 22:22:03 +0100[diff] [blame]57 };
58}