Blame - modules/security.nix - Minion/NixFiles

blob: fe3b3333b4b2efd89ef41ee5e35a273ebc7cfc04 [file] [log] [blame]

Skyler Grey	252927a	2022-10-18 22:18:15 +0100	[diff] [blame]	1	{ lib
				2	, pkgs
				3	, config
				4	, ...
				5	}:
				6	let
Skyler Grey	a2dabd7	2022-10-31 00:36:05 +0000	[diff] [blame]	7	lockMessage = "This computer has been locked, please authenticate to continue";
Skyler Grey	252927a	2022-10-18 22:18:15 +0100	[diff] [blame]	8	in
				9	{
Skyler Grey	ff3c6a2	2022-08-21 07:25:02 +0100	[diff] [blame]	10	config = {
Skyler Grey	ebd5a8e	2023-02-26 12:58:17 +0000	[diff] [blame]	11	services.fprintd.enable = true;
Skyler Grey	3a504fa	2023-02-26 13:04:06 +0000	[diff] [blame]	12	environment.persistence."/nix/persist".directories = [ "/var/lib/fprint" ];
Skyler Grey	d2642a2	2023-02-26 12:47:10 +0000	[diff] [blame]	13
Skyler Grey	ff3c6a2	2022-08-21 07:25:02 +0100	[diff] [blame]	14	security.apparmor = {
				15	enable = true;
				16	killUnconfinedConfinables = true;
				17	};
				18
				19	boot.initrd.availableKernelModules = [
				20	"aesni_intel"
				21	"cryptd"
Skyler Grey	ebd5a8e	2023-02-26 12:58:17 +0000	[diff] [blame]	22	"uas"
				23	"xhci_hcd"
Skyler Grey	ff3c6a2	2022-08-21 07:25:02 +0100	[diff] [blame]	24	];
				25
				26	boot.initrd.luks.devices = {
Skyler Grey	9193593	2022-09-01 23:43:06 +0100	[diff] [blame]	27	nix.device = "/dev/disk/by-label/NIX";
				28	swap.device = "/dev/disk/by-label/SWAP";
Skyler Grey	ebd5a8e	2023-02-26 12:58:17 +0000	[diff] [blame]	29	expansion0.device = "/dev/disk/by-label/EXPANSION0";
Skyler Grey	0fa154f	2022-08-21 07:30:37 +0100	[diff] [blame]	30	};
Skyler Grey	9193593	2022-09-01 23:43:06 +0100	[diff] [blame]	31
				32	services.physlock = {
				33	inherit lockMessage;
Skyler Grey	09c1411	2023-02-19 23:41:20 +0000	[diff] [blame]	34	enable = false;
Skyler Grey	9193593	2022-09-01 23:43:06 +0100	[diff] [blame]	35	allowAnyUser = true;
				36	};
Skyler Grey	09c1411	2023-02-19 23:41:20 +0000	[diff] [blame]	37
				38	security.wrappers = {
				39	lock = {
				40	source = ./security/lock.sh;
				41	setuid = true;
				42	owner = config.users.users.root.name;
				43	group = config.users.users.nobody.group;
				44	};
				45	_onLock = {
				46	source = ./security/onLock.sh;
				47	setuid = false;
				48	owner = config.users.users.root.name;
				49	group = config.users.users.nobody.group;
				50	};
				51	};
Skyler Grey	9193593	2022-09-01 23:43:06 +0100	[diff] [blame]	52	};
				53
Skyler Grey	252927a	2022-10-18 22:18:15 +0100	[diff] [blame]	54	home =
				55	let
				56	lockCommand =
				57	lib.pipe ''
Skyler Grey	09c1411	2023-02-19 23:41:20 +0000	[diff] [blame]	58	${pkgs.systemd}/bin/systemd-inhibit --why="Already locked" --what=idle --who="lock script" ${config.security.wrapperDir}/lock
Skyler Grey	252927a	2022-10-18 22:18:15 +0100	[diff] [blame]	59	'' [
				60	(lib.splitString "\n")
				61	(lib.filter (line: line != ""))
				62	(lib.concatStringsSep " && ")
				63	];
				64	in
				65	{
				66	services.swayidle = {
Skyler Grey	09c1411	2023-02-19 23:41:20 +0000	[diff] [blame]	67	enable = false;
Skyler Grey	252927a	2022-10-18 22:18:15 +0100	[diff] [blame]	68	timeouts = [
				69	{
				70	timeout = 60;
				71	command = lockCommand;
				72	}
				73	];
				74	};
				75	home.packages = [
				76	(pkgs.writeScriptBin "lock" lockCommand)
Skyler Grey	09c1411	2023-02-19 23:41:20 +0000	[diff] [blame]	77	pkgs.kbd
Skyler Grey	9193593	2022-09-01 23:43:06 +0100	[diff] [blame]	78	];
				79	};
Skyler Grey	6aa7c26	2022-08-20 22:22:03 +0100	[diff] [blame]	80	}