Gitiles
Code Review Sign In
git.clicks.codes / Minion / NixFiles / 4da160cd22e0816c549da04b6f2237c9f1ceb859 / . / modules / security.nix
blob: 0f857d4e8ca146c74c57fb1c378fd24e28f5e278 [file] [log] [blame]
Skyler Grey252927a2022-10-18 22:18:15 +0100[diff] [blame]1{ lib
2, pkgs
3, config
4, ...
5}:
6let
Skyler Greya2dabd72022-10-31 00:36:05 +0000[diff] [blame]7 lockMessage = "This computer has been locked, please authenticate to continue";
Skyler Grey252927a2022-10-18 22:18:15 +0100[diff] [blame]8in
9{
Skyler Greyff3c6a22022-08-21 07:25:02 +0100[diff] [blame]10 config = {
11 security.apparmor = {
12 enable = true;
13 killUnconfinedConfinables = true;
14 };
15
16 boot.initrd.availableKernelModules = [
17 "aesni_intel"
18 "cryptd"
19 ];
20
21 boot.initrd.luks.devices = {
Skyler Grey91935932022-09-01 23:43:06 +0100[diff] [blame]22 nix.device = "/dev/disk/by-label/NIX";
23 swap.device = "/dev/disk/by-label/SWAP";
24 hdd.device = "/dev/disk/by-label/HDD";
Skyler Grey0fa154f2022-08-21 07:30:37 +0100[diff] [blame]25 };
Skyler Grey91935932022-09-01 23:43:06 +0100[diff] [blame]26
27 services.physlock = {
28 inherit lockMessage;
29 enable = true;
30 allowAnyUser = true;
31 };
32 };
33
Skyler Grey252927a2022-10-18 22:18:15 +0100[diff] [blame]34 home =
35 let
36 lockCommand =
37 lib.pipe ''
Skyler Grey252927a2022-10-18 22:18:15 +0100[diff] [blame]38 ${pkgs.systemd}/bin/systemd-inhibit --why="Already locked" --what=idle --who="lock script" ${config.security.wrapperDir}/physlock -s -p "${lockMessage}"
Skyler Grey252927a2022-10-18 22:18:15 +0100[diff] [blame]39 '' [
40 (lib.splitString "\n")
41 (lib.filter (line: line != ""))
42 (lib.concatStringsSep " && ")
43 ];
44 in
45 {
46 services.swayidle = {
47 enable = true;
48 timeouts = [
49 {
50 timeout = 60;
51 command = lockCommand;
52 }
53 ];
54 };
55 home.packages = [
56 (pkgs.writeScriptBin "lock" lockCommand)
Skyler Grey91935932022-09-01 23:43:06 +0100[diff] [blame]57 ];
58 };
Skyler Grey6aa7c262022-08-20 22:22:03 +0100[diff] [blame]59}