Gitiles
Code Review Sign In
git.clicks.codes / Minion / NixFiles / 7c0a1e1c572c3761d5a0d27d74cb2ccf78b4f05d / . / modules / security.nix
blob: a97e20ea241e9b2d45c4db2df4497b2458409e85 [file] [log] [blame]
Skyler Grey252927a2022-10-18 22:18:15 +0100[diff] [blame]1{ lib
2, pkgs
3, config
4, ...
5}:
6let
Skyler Greya2dabd72022-10-31 00:36:05 +0000[diff] [blame]7 lockMessage = "This computer has been locked, please authenticate to continue";
Skyler Grey252927a2022-10-18 22:18:15 +0100[diff] [blame]8in
9{
Skyler Greyff3c6a22022-08-21 07:25:02 +0100[diff] [blame]10 config = {
Skyler Greyd2642a22023-02-26 12:47:10 +0000[diff] [blame]11 internal.allowUnfree = [ "libfprint-2-tod1-goodix" ];
12 services.fprintd = {
13 enable = true;
14 tod = {
15 enable = true;
16 driver = pkgs.libfprint-2-tod1-goodix;
17 };
18 };
19
Skyler Greyff3c6a22022-08-21 07:25:02 +0100[diff] [blame]20 security.apparmor = {
21 enable = true;
22 killUnconfinedConfinables = true;
23 };
24
25 boot.initrd.availableKernelModules = [
26 "aesni_intel"
27 "cryptd"
28 ];
29
30 boot.initrd.luks.devices = {
Skyler Grey91935932022-09-01 23:43:06 +0100[diff] [blame]31 nix.device = "/dev/disk/by-label/NIX";
32 swap.device = "/dev/disk/by-label/SWAP";
33 hdd.device = "/dev/disk/by-label/HDD";
Skyler Grey0fa154f2022-08-21 07:30:37 +0100[diff] [blame]34 };
Skyler Grey91935932022-09-01 23:43:06 +0100[diff] [blame]35
36 services.physlock = {
37 inherit lockMessage;
Skyler Grey09c14112023-02-19 23:41:20 +0000[diff] [blame]38 enable = false;
Skyler Grey91935932022-09-01 23:43:06 +0100[diff] [blame]39 allowAnyUser = true;
40 };
Skyler Grey09c14112023-02-19 23:41:20 +0000[diff] [blame]41
42 security.wrappers = {
43 lock = {
44 source = ./security/lock.sh;
45 setuid = true;
46 owner = config.users.users.root.name;
47 group = config.users.users.nobody.group;
48 };
49 _onLock = {
50 source = ./security/onLock.sh;
51 setuid = false;
52 owner = config.users.users.root.name;
53 group = config.users.users.nobody.group;
54 };
55 };
Skyler Grey91935932022-09-01 23:43:06 +0100[diff] [blame]56 };
57
Skyler Grey252927a2022-10-18 22:18:15 +0100[diff] [blame]58 home =
59 let
60 lockCommand =
61 lib.pipe ''
Skyler Grey09c14112023-02-19 23:41:20 +0000[diff] [blame]62 ${pkgs.systemd}/bin/systemd-inhibit --why="Already locked" --what=idle --who="lock script" ${config.security.wrapperDir}/lock
Skyler Grey252927a2022-10-18 22:18:15 +0100[diff] [blame]63 '' [
64 (lib.splitString "\n")
65 (lib.filter (line: line != ""))
66 (lib.concatStringsSep " && ")
67 ];
68 in
69 {
70 services.swayidle = {
Skyler Grey09c14112023-02-19 23:41:20 +0000[diff] [blame]71 enable = false;
Skyler Grey252927a2022-10-18 22:18:15 +0100[diff] [blame]72 timeouts = [
73 {
74 timeout = 60;
75 command = lockCommand;
76 }
77 ];
78 };
79 home.packages = [
80 (pkgs.writeScriptBin "lock" lockCommand)
Skyler Grey09c14112023-02-19 23:41:20 +0000[diff] [blame]81 pkgs.kbd
Skyler Grey91935932022-09-01 23:43:06 +0100[diff] [blame]82 ];
83 };
Skyler Grey6aa7c262022-08-20 22:22:03 +0100[diff] [blame]84}