Blame - modules/security.nix - Minion/NixFiles

blob: c9dba17001f6bdee2a3401913912d9008adfb769 [file] [log] [blame]

Skyler Grey	252927a	2022-10-18 22:18:15 +0100	[diff] [blame]	1	{ lib
				2	, pkgs
				3	, config
				4	, ...
				5	}:
				6	let
Skyler Grey	a2dabd7	2022-10-31 00:36:05 +0000	[diff] [blame]	7	lockMessage = "This computer has been locked, please authenticate to continue";
Skyler Grey	252927a	2022-10-18 22:18:15 +0100	[diff] [blame]	8	in
				9	{
Skyler Grey	ff3c6a2	2022-08-21 07:25:02 +0100	[diff] [blame]	10	config = {
Skyler Grey	ebd5a8e	2023-02-26 12:58:17 +0000	[diff] [blame]	11	services.fprintd.enable = true;
Skyler Grey	d2642a2	2023-02-26 12:47:10 +0000	[diff] [blame]	12
Skyler Grey	ff3c6a2	2022-08-21 07:25:02 +0100	[diff] [blame]	13	security.apparmor = {
				14	enable = true;
				15	killUnconfinedConfinables = true;
				16	};
				17
				18	boot.initrd.availableKernelModules = [
				19	"aesni_intel"
				20	"cryptd"
Skyler Grey	ebd5a8e	2023-02-26 12:58:17 +0000	[diff] [blame]	21	"uas"
				22	"xhci_hcd"
Skyler Grey	ff3c6a2	2022-08-21 07:25:02 +0100	[diff] [blame]	23	];
				24
				25	boot.initrd.luks.devices = {
Skyler Grey	9193593	2022-09-01 23:43:06 +0100	[diff] [blame]	26	nix.device = "/dev/disk/by-label/NIX";
				27	swap.device = "/dev/disk/by-label/SWAP";
Skyler Grey	ebd5a8e	2023-02-26 12:58:17 +0000	[diff] [blame]	28	expansion0.device = "/dev/disk/by-label/EXPANSION0";
Skyler Grey	0fa154f	2022-08-21 07:30:37 +0100	[diff] [blame]	29	};
Skyler Grey	9193593	2022-09-01 23:43:06 +0100	[diff] [blame]	30
				31	services.physlock = {
				32	inherit lockMessage;
Skyler Grey	09c1411	2023-02-19 23:41:20 +0000	[diff] [blame]	33	enable = false;
Skyler Grey	9193593	2022-09-01 23:43:06 +0100	[diff] [blame]	34	allowAnyUser = true;
				35	};
Skyler Grey	09c1411	2023-02-19 23:41:20 +0000	[diff] [blame]	36
				37	security.wrappers = {
				38	lock = {
				39	source = ./security/lock.sh;
				40	setuid = true;
				41	owner = config.users.users.root.name;
				42	group = config.users.users.nobody.group;
				43	};
				44	_onLock = {
				45	source = ./security/onLock.sh;
				46	setuid = false;
				47	owner = config.users.users.root.name;
				48	group = config.users.users.nobody.group;
				49	};
				50	};
Skyler Grey	9193593	2022-09-01 23:43:06 +0100	[diff] [blame]	51	};
				52
Skyler Grey	252927a	2022-10-18 22:18:15 +0100	[diff] [blame]	53	home =
				54	let
				55	lockCommand =
				56	lib.pipe ''
Skyler Grey	09c1411	2023-02-19 23:41:20 +0000	[diff] [blame]	57	${pkgs.systemd}/bin/systemd-inhibit --why="Already locked" --what=idle --who="lock script" ${config.security.wrapperDir}/lock
Skyler Grey	252927a	2022-10-18 22:18:15 +0100	[diff] [blame]	58	'' [
				59	(lib.splitString "\n")
				60	(lib.filter (line: line != ""))
				61	(lib.concatStringsSep " && ")
				62	];
				63	in
				64	{
				65	services.swayidle = {
Skyler Grey	09c1411	2023-02-19 23:41:20 +0000	[diff] [blame]	66	enable = false;
Skyler Grey	252927a	2022-10-18 22:18:15 +0100	[diff] [blame]	67	timeouts = [
				68	{
				69	timeout = 60;
				70	command = lockCommand;
				71	}
				72	];
				73	};
				74	home.packages = [
				75	(pkgs.writeScriptBin "lock" lockCommand)
Skyler Grey	09c1411	2023-02-19 23:41:20 +0000	[diff] [blame]	76	pkgs.kbd
Skyler Grey	9193593	2022-09-01 23:43:06 +0100	[diff] [blame]	77	];
				78	};
Skyler Grey	6aa7c26	2022-08-20 22:22:03 +0100	[diff] [blame]	79	}