nixos-configs/devices/wim/modules/security.nix

{
  pkgs,
  lib,
  config,
  ...
}: let
  grosshack = config.customPkgs.pam-fprint-grosshack;
  grosshackSo = "${grosshack}/lib/security/pam_fprintd_grosshack.so";
  gnomeSo = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so";
in {
  services.fprintd.enable = true;

  # https://www.reddit.com/r/NixOS/comments/z7i83r/fingertip_tip_start_fprintd_at_boot_for_a_quick/
  systemd.services.fprintd = {
    wantedBy = ["multi-user.target"];
    serviceConfig.Type = "simple";
  };

  services.logind.lidSwitch = "lock";

  security.sudo.extraConfig = ''
    Defaults        timestamp_timeout=600
  '';

  security.pam.services = {
    # all the changes in /etc/pam.d/*
    sddm.text = lib.mkBefore ''
      auth      [success=1 new_authtok_reqd=1 default=ignore]  	pam_unix.so try_first_pass likeauth nullok
      auth      sufficient    ${pkgs.fprintd}/lib/security/pam_fprintd.so
    '';

    sudo.text = ''
      # Account management.
      auth    sufficient    ${grosshackSo}
      auth    sufficient    pam_unix.so try_first_pass nullok
      account required pam_unix.so

      # Authentication management.
      auth required pam_deny.so

      # Password management.
      password sufficient pam_unix.so nullok yescrypt

      # Session management.
      session required pam_env.so conffile=/etc/pam/environment readenv=0
      session required pam_unix.so
    '';

    login.text = ''
      # Account management.
      account required pam_unix.so

      # Authentication management.
      auth    sufficient    ${grosshackSo}
      auth optional pam_unix.so nullok  likeauth
      auth optional ${gnomeSo}
      auth    sufficient    pam_unix.so try_first_pass nullok
      auth required pam_deny.so

      # Password management.
      password sufficient pam_unix.so nullok yescrypt
      password optional ${gnomeSo} use_authtok

      # Session management.
      session required pam_env.so conffile=/etc/pam/environment readenv=0
      session required pam_unix.so
      session required pam_loginuid.so
      session required ${pkgs.pam}/lib/security/pam_lastlog.so silent
      session optional ${pkgs.systemd}/lib/security/pam_systemd.so
      session optional ${gnomeSo} auto_start
    '';

    polkit-1.text = ''
      # Account management.
      account required pam_unix.so

      # Authentication management.
      auth    sufficient    ${grosshackSo}
      auth    sufficient    pam_unix.so try_first_pass nullok
      auth required pam_deny.so

      # Password management.
      password sufficient pam_unix.so nullok yescrypt

      # Session management.
      session required pam_env.so conffile=/etc/pam/environment readenv=0
      session required pam_unix.so
    '';
  };
}
feat: split up config 2023-06-19 01:36:50 -04:00			`{`
feat: add nix code formatter 2023-11-22 15:33:16 -05:00			`pkgs,`
			`lib,`
feat: separate custom pkgs from nixpkgs 2023-12-01 16:53:51 -05:00			`config,`
feat: add nix code formatter 2023-11-22 15:33:16 -05:00			`...`
feat: separate custom pkgs from nixpkgs 2023-12-01 16:53:51 -05:00			`}: let`
			`grosshack = config.customPkgs.pam-fprint-grosshack;`
			`grosshackSo = "${grosshack}/lib/security/pam_fprintd_grosshack.so";`
			`gnomeSo = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so";`
			`in {`
feat: split up config 2023-06-19 01:36:50 -04:00			`services.fprintd.enable = true;`

misc changes 2023-06-20 15:24:07 -04:00			`# https://www.reddit.com/r/NixOS/comments/z7i83r/fingertip_tip_start_fprintd_at_boot_for_a_quick/`
feat: split up config 2023-06-19 01:36:50 -04:00			`systemd.services.fprintd = {`
feat: add nix code formatter 2023-11-22 15:33:16 -05:00			`wantedBy = ["multi-user.target"];`
feat: split up config 2023-06-19 01:36:50 -04:00			`serviceConfig.Type = "simple";`
			`};`

			`services.logind.lidSwitch = "lock";`

			`security.sudo.extraConfig = ''`
feat: make sudo timeout longer 2023-08-09 22:09:48 -04:00			`Defaults timestamp_timeout=600`
feat: split up config 2023-06-19 01:36:50 -04:00			`'';`

			`security.pam.services = {`
			`# all the changes in /etc/pam.d/*`
feat: add nix code formatter 2023-11-22 15:33:16 -05:00			`sddm.text = lib.mkBefore ''`
feat: split up config 2023-06-19 01:36:50 -04:00			`auth [success=1 new_authtok_reqd=1 default=ignore] pam_unix.so try_first_pass likeauth nullok`
feat: make fprint-grosshack a package and cleanup custom package referencing 2023-07-15 17:47:37 -04:00			`auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so`
feat: split up config 2023-06-19 01:36:50 -04:00			`'';`

			`sudo.text = ''`
			`# Account management.`
feat: separate custom pkgs from nixpkgs 2023-12-01 16:53:51 -05:00			`auth sufficient ${grosshackSo}`
feat: split up config 2023-06-19 01:36:50 -04:00			`auth sufficient pam_unix.so try_first_pass nullok`
			`account required pam_unix.so`

			`# Authentication management.`
			`auth required pam_deny.so`

			`# Password management.`
			`password sufficient pam_unix.so nullok yescrypt`

			`# Session management.`
			`session required pam_env.so conffile=/etc/pam/environment readenv=0`
			`session required pam_unix.so`
			`'';`

			`login.text = ''`
			`# Account management.`
			`account required pam_unix.so`

			`# Authentication management.`
feat: separate custom pkgs from nixpkgs 2023-12-01 16:53:51 -05:00			`auth sufficient ${grosshackSo}`
feat: split up config 2023-06-19 01:36:50 -04:00			`auth optional pam_unix.so nullok likeauth`
feat: separate custom pkgs from nixpkgs 2023-12-01 16:53:51 -05:00			`auth optional ${gnomeSo}`
feat: split up config 2023-06-19 01:36:50 -04:00			`auth sufficient pam_unix.so try_first_pass nullok`
			`auth required pam_deny.so`

			`# Password management.`
			`password sufficient pam_unix.so nullok yescrypt`
feat: separate custom pkgs from nixpkgs 2023-12-01 16:53:51 -05:00			`password optional ${gnomeSo} use_authtok`
feat: split up config 2023-06-19 01:36:50 -04:00
			`# Session management.`
			`session required pam_env.so conffile=/etc/pam/environment readenv=0`
			`session required pam_unix.so`
			`session required pam_loginuid.so`
feat: make fprint-grosshack a package and cleanup custom package referencing 2023-07-15 17:47:37 -04:00			`session required ${pkgs.pam}/lib/security/pam_lastlog.so silent`
			`session optional ${pkgs.systemd}/lib/security/pam_systemd.so`
feat: separate custom pkgs from nixpkgs 2023-12-01 16:53:51 -05:00			`session optional ${gnomeSo} auto_start`
feat: split up config 2023-06-19 01:36:50 -04:00			`'';`

			`polkit-1.text = ''`
			`# Account management.`
			`account required pam_unix.so`

			`# Authentication management.`
feat: separate custom pkgs from nixpkgs 2023-12-01 16:53:51 -05:00			`auth sufficient ${grosshackSo}`
feat: split up config 2023-06-19 01:36:50 -04:00			`auth sufficient pam_unix.so try_first_pass nullok`
			`auth required pam_deny.so`

			`# Password management.`
			`password sufficient pam_unix.so nullok yescrypt`

			`# Session management.`
			`session required pam_env.so conffile=/etc/pam/environment readenv=0`
			`session required pam_unix.so`
			`'';`
			`};`
			`}`