Gitiles
Code Review Sign In
git.clicks.codes / Minion / NixFiles / 6e17ac9b6a5f56aa3e087e3a509ace4b0c4fb32d / . / modules / security.nix
blob: 43b304239106ce4bcdfb0f6fa02c61a87bbf42e6 [file] [log] [blame]
Skyler Grey252927a2022-10-18 22:18:15 +0100[diff] [blame]1{ lib
2, pkgs
3, config
4, ...
5}:
6let
Skyler Greya2dabd72022-10-31 00:36:05 +0000[diff] [blame]7 lockMessage = "This computer has been locked, please authenticate to continue";
Skyler Grey252927a2022-10-18 22:18:15 +0100[diff] [blame]8in
9{
Skyler Greyff3c6a22022-08-21 07:25:02 +0100[diff] [blame]10 config = {
11 security.apparmor = {
12 enable = true;
13 killUnconfinedConfinables = true;
14 };
15
16 boot.initrd.availableKernelModules = [
17 "aesni_intel"
18 "cryptd"
19 ];
20
21 boot.initrd.luks.devices = {
Skyler Grey91935932022-09-01 23:43:06 +0100[diff] [blame]22 nix.device = "/dev/disk/by-label/NIX";
23 swap.device = "/dev/disk/by-label/SWAP";
24 hdd.device = "/dev/disk/by-label/HDD";
Skyler Grey0fa154f2022-08-21 07:30:37 +0100[diff] [blame]25 };
Skyler Grey91935932022-09-01 23:43:06 +0100[diff] [blame]26
27 services.physlock = {
28 inherit lockMessage;
Skyler Grey09c14112023-02-19 23:41:20 +0000[diff] [blame]29 enable = false;
Skyler Grey91935932022-09-01 23:43:06 +0100[diff] [blame]30 allowAnyUser = true;
31 };
Skyler Grey09c14112023-02-19 23:41:20 +0000[diff] [blame]32
33 security.wrappers = {
34 lock = {
35 source = ./security/lock.sh;
36 setuid = true;
37 owner = config.users.users.root.name;
38 group = config.users.users.nobody.group;
39 };
40 _onLock = {
41 source = ./security/onLock.sh;
42 setuid = false;
43 owner = config.users.users.root.name;
44 group = config.users.users.nobody.group;
45 };
46 };
Skyler Grey91935932022-09-01 23:43:06 +0100[diff] [blame]47 };
48
Skyler Grey252927a2022-10-18 22:18:15 +0100[diff] [blame]49 home =
50 let
51 lockCommand =
52 lib.pipe ''
Skyler Grey09c14112023-02-19 23:41:20 +0000[diff] [blame]53 ${pkgs.systemd}/bin/systemd-inhibit --why="Already locked" --what=idle --who="lock script" ${config.security.wrapperDir}/lock
Skyler Grey252927a2022-10-18 22:18:15 +0100[diff] [blame]54 '' [
55 (lib.splitString "\n")
56 (lib.filter (line: line != ""))
57 (lib.concatStringsSep " && ")
58 ];
59 in
60 {
61 services.swayidle = {
Skyler Grey09c14112023-02-19 23:41:20 +0000[diff] [blame]62 enable = false;
Skyler Grey252927a2022-10-18 22:18:15 +0100[diff] [blame]63 timeouts = [
64 {
65 timeout = 60;
66 command = lockCommand;
67 }
68 ];
69 };
70 home.packages = [
71 (pkgs.writeScriptBin "lock" lockCommand)
Skyler Grey09c14112023-02-19 23:41:20 +0000[diff] [blame]72 pkgs.kbd
Skyler Grey91935932022-09-01 23:43:06 +0100[diff] [blame]73 ];
74 };
Skyler Grey6aa7c262022-08-20 22:22:03 +0100[diff] [blame]75}