Blame - modules/security.nix - Minion/NixFiles

blob: 889e44d2733da3ee132beab241b0f037a0a0ad8e [file] [log] [blame]

Skyler Grey	252927a	2022-10-18 22:18:15 +0100	[diff] [blame]	1	{ lib
				2	, pkgs
				3	, config
				4	, ...
				5	}:
				6	let
Skyler Grey	a2dabd7	2022-10-31 00:36:05 +0000	[diff] [blame]	7	lockMessage = "This computer has been locked, please authenticate to continue";
Skyler Grey	252927a	2022-10-18 22:18:15 +0100	[diff] [blame]	8	in
				9	{
Skyler Grey	ff3c6a2	2022-08-21 07:25:02 +0100	[diff] [blame]	10	config = {
Skyler Grey	ebd5a8e	2023-02-26 12:58:17 +0000	[diff] [blame]	11	services.fprintd.enable = true;
Skyler Grey	3a504fa	2023-02-26 13:04:06 +0000	[diff] [blame]	12	environment.persistence."/nix/persist".directories = [ "/var/lib/fprint" ];
Skyler Grey	d2642a2	2023-02-26 12:47:10 +0000	[diff] [blame]	13
Skyler Grey	ea00ad5	2023-02-13 06:49:48 +0000	[diff] [blame^]	14	security.auditd.enable = true;
				15	services.syslogd.enable = true;
				16	services.syslogd.extraConfig = ''
				17	. -/var/log/syslog
				18	'';
				19	services.journald.forwardToSyslog = true;
Skyler Grey	ff3c6a2	2022-08-21 07:25:02 +0100	[diff] [blame]	20	security.apparmor = {
				21	enable = true;
				22	killUnconfinedConfinables = true;
				23	};
				24
				25	boot.initrd.availableKernelModules = [
				26	"aesni_intel"
				27	"cryptd"
Skyler Grey	ebd5a8e	2023-02-26 12:58:17 +0000	[diff] [blame]	28	"uas"
				29	"xhci_hcd"
Skyler Grey	ff3c6a2	2022-08-21 07:25:02 +0100	[diff] [blame]	30	];
				31
				32	boot.initrd.luks.devices = {
Skyler Grey	9193593	2022-09-01 23:43:06 +0100	[diff] [blame]	33	nix.device = "/dev/disk/by-label/NIX";
				34	swap.device = "/dev/disk/by-label/SWAP";
Skyler Grey	ebd5a8e	2023-02-26 12:58:17 +0000	[diff] [blame]	35	expansion0.device = "/dev/disk/by-label/EXPANSION0";
Skyler Grey	0fa154f	2022-08-21 07:30:37 +0100	[diff] [blame]	36	};
Skyler Grey	9193593	2022-09-01 23:43:06 +0100	[diff] [blame]	37
				38	services.physlock = {
				39	inherit lockMessage;
Skyler Grey	09c1411	2023-02-19 23:41:20 +0000	[diff] [blame]	40	enable = false;
Skyler Grey	9193593	2022-09-01 23:43:06 +0100	[diff] [blame]	41	allowAnyUser = true;
				42	};
Skyler Grey	09c1411	2023-02-19 23:41:20 +0000	[diff] [blame]	43
				44	security.wrappers = {
				45	lock = {
				46	source = ./security/lock.sh;
				47	setuid = true;
				48	owner = config.users.users.root.name;
				49	group = config.users.users.nobody.group;
				50	};
				51	_onLock = {
				52	source = ./security/onLock.sh;
				53	setuid = false;
				54	owner = config.users.users.root.name;
				55	group = config.users.users.nobody.group;
				56	};
				57	};
Skyler Grey	9193593	2022-09-01 23:43:06 +0100	[diff] [blame]	58	};
				59
Skyler Grey	252927a	2022-10-18 22:18:15 +0100	[diff] [blame]	60	home =
				61	let
				62	lockCommand =
				63	lib.pipe ''
Skyler Grey	09c1411	2023-02-19 23:41:20 +0000	[diff] [blame]	64	${pkgs.systemd}/bin/systemd-inhibit --why="Already locked" --what=idle --who="lock script" ${config.security.wrapperDir}/lock
Skyler Grey	252927a	2022-10-18 22:18:15 +0100	[diff] [blame]	65	'' [
				66	(lib.splitString "\n")
				67	(lib.filter (line: line != ""))
				68	(lib.concatStringsSep " && ")
				69	];
				70	in
				71	{
				72	services.swayidle = {
Skyler Grey	09c1411	2023-02-19 23:41:20 +0000	[diff] [blame]	73	enable = false;
Skyler Grey	252927a	2022-10-18 22:18:15 +0100	[diff] [blame]	74	timeouts = [
				75	{
				76	timeout = 60;
				77	command = lockCommand;
				78	}
				79	];
				80	};
				81	home.packages = [
				82	(pkgs.writeScriptBin "lock" lockCommand)
Skyler Grey	09c1411	2023-02-19 23:41:20 +0000	[diff] [blame]	83	pkgs.kbd
Skyler Grey	9193593	2022-09-01 23:43:06 +0100	[diff] [blame]	84	];
				85	};
Skyler Grey	6aa7c26	2022-08-20 22:22:03 +0100	[diff] [blame]	86	}