nixos-configs/modules/desktop/desktop-environment/security.nix

109 lines
2.4 KiB
Nix
Raw Normal View History

{
config,
lib,
pkgs,
...
}: let
inherit (lib) getExe mkIf;
cfg = config.roles.desktop;
2024-05-29 12:30:14 -04:00
hmCfg = config.home-manager.users.${cfg.user};
2024-05-29 12:30:14 -04:00
agsPkg = hmCfg.programs.ags.finalPackage;
hyprPkg = hmCfg.wayland.windowManager.hyprland.finalPackage;
runInDesktop = pkgs.writeShellApplication {
name = "runInDesktop";
runtimeInputs = [
pkgs.sudo
agsPkg
hyprPkg
];
2024-05-29 12:30:14 -04:00
text = ''
params=( "$@" )
user="$(id -u ${cfg.user})"
readarray -t SIGS <<< "$(ls "/run/user/$user/hypr/")"
run() {
export HYPRLAND_INSTANCE_SIGNATURE="$1"
sudo -Eu ${cfg.user} hyprctl dispatch exec "''${params[@]}"
}
2024-05-29 12:30:14 -04:00
i=0
# FIXME: not sure if sudo passes the exit status to this
while ! run "''${SIGS[$i]}"; do
((i+=1))
done
2024-05-29 12:30:14 -04:00
'';
};
lockPkg = pkgs.writeShellApplication {
name = "lock";
runtimeInputs = [
agsPkg
];
2024-05-29 12:30:14 -04:00
text = ''
ags -r 'Tablet.setLaptopMode()'
ags -b lockscreen -c /home/${cfg.user}/.config/ags/lockscreen.js
2024-05-29 12:30:14 -04:00
'';
};
in {
services.acpid = mkIf cfg.isLaptop {
2024-05-29 12:30:14 -04:00
enable = true;
lidEventCommands =
# bash
''
LID="/proc/acpi/button/lid/LID/state"
state=$(${pkgs.gawk}/bin/awk '{print $2}' "$LID")
case "$state" in
*open*)
${getExe runInDesktop} "ags -b lockscreen -r 'authFinger()'"
;;
*close*)
${getExe runInDesktop} ${getExe lockPkg}
;;
*)
logger -t lid-handler "Failed to detect lid state ($state)"
;;
esac
'';
2024-05-29 12:30:14 -04:00
};
home-manager.users.${cfg.user} = {
2024-05-05 23:07:06 -04:00
home.packages = [
pkgs.gnome.seahorse
lockPkg
];
wayland.windowManager.hyprland = {
settings = {
2024-05-29 12:30:14 -04:00
exec-once = [
"gnome-keyring-daemon --start --components=secrets"
"${pkgs.plasma5Packages.polkit-kde-agent}/libexec/polkit-kde-authentication-agent-1"
];
windowrule = [
"float,^(org.kde.polkit-kde-authentication-agent-1)$"
"size 741 288,^(org.kde.polkit-kde-authentication-agent-1)$"
"center,^(org.kde.polkit-kde-authentication-agent-1)$"
# For GParted auth
"size 741 288,^(org.kde.ksshaskpass)$"
"move cursor -370 -144,^(org.kde.ksshaskpass)$"
];
bind = [
"$mainMod, L, exec, ${getExe lockPkg}"
];
};
};
};
}