Gitiles
Code Review Sign In
git.clicks.codes / Minion / NixFiles / 6a2b11ad54e78835836c7f0db2babc28dd0c11e8 / . / modules / security.nix
blob: f56115b9b22ef7276b23763edcd28aa0c79eed71 [file] [log] [blame]
Skyler Grey6aa7c262022-08-20 22:22:03 +0100[diff] [blame]1{
Skyler Grey91935932022-09-01 23:43:06 +0100[diff] [blame]2 lib,
3 pkgs,
4 config,
5 ...
6}: let
7 lockMessage = "This computer has been locked, please enter your password to continue";
8in {
Skyler Greyff3c6a22022-08-21 07:25:02 +0100[diff] [blame]9 config = {
10 security.apparmor = {
11 enable = true;
12 killUnconfinedConfinables = true;
13 };
14
15 boot.initrd.availableKernelModules = [
16 "aesni_intel"
17 "cryptd"
18 ];
19
20 boot.initrd.luks.devices = {
Skyler Grey91935932022-09-01 23:43:06 +0100[diff] [blame]21 nix.device = "/dev/disk/by-label/NIX";
22 swap.device = "/dev/disk/by-label/SWAP";
23 hdd.device = "/dev/disk/by-label/HDD";
Skyler Grey0fa154f2022-08-21 07:30:37 +0100[diff] [blame]24 };
Skyler Grey91935932022-09-01 23:43:06 +0100[diff] [blame]25
26 services.physlock = {
27 inherit lockMessage;
28 enable = true;
29 allowAnyUser = true;
30 };
31 };
32
33 home = let
Skyler Grey1010db92022-09-05 03:21:48 +0100[diff] [blame]34 lockCommand =
35 lib.pipe ''
36 ${pkgs.sway}/bin/swaymsg output "*" dpms off
37 ${config.security.wrapperDir}/physlock -s -p "${lockMessage}"
38 while [ $(${pkgs.sway}/bin/swaymsg -t get_seats | ${pkgs.jq}/bin/jq "[.[] | .capabilities] | max") -eq 0 ]; do ${pkgs.coreutils}/bin/sleep 0.1; done
39 ${pkgs.sway}/bin/swaymsg output "*" dpms on
40 '' [
41 (lib.splitString "\n")
42 (lib.filter (line: line != ""))
43 (lib.concatStringsSep " && ")
44 ];
Skyler Grey91935932022-09-01 23:43:06 +0100[diff] [blame]45 in {
46 services.swayidle = {
47 enable = true;
48 timeouts = [
49 {
50 timeout = 60;
51 command = lockCommand;
52 }
53 ];
54 };
55 home.packages = [
56 (pkgs.writeScriptBin "lock" lockCommand)
57 ];
Skyler Grey6aa7c262022-08-20 22:22:03 +0100[diff] [blame]58 };
59}