matt1432/nixos-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nixos-configs/nixos/cfg/security.nix

97 lines
3.3 KiB
Nix
Raw Blame History

{ config, pkgs, ... }:
{
services.fprintd.enable = true;
# https://www.reddit.com/r/NixOS/comments/z7i83r/fingertip_tip_start_fprintd_at_boot_for_a_quick/
systemd.services.fprintd = {
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "simple";
};
services.logind.lidSwitch = "lock";
services.gnome.gnome-keyring.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
networking.firewall.enable = false;
security.sudo.extraConfig = ''
Defaults timestamp_timeout=60
'';
security.pam.services = {
gtklock = {};
# all the changes in /etc/pam.d/*
sddm.text = /* TODO: lib.mkBefore ... */''
auth [success=1 new_authtok_reqd=1 default=ignore] pam_unix.so try_first_pass likeauth nullok
auth sufficient /nix/store/7hw6i2p2p7zzgjirw6xaj3c50gga488y-fprintd-1.94.2/lib/security/pam_fprintd.so
auth substack login
account include login
password substack login
session include login
'';
sudo.text = ''
# Account management.
auth sufficient /root/lib/pam/pam_fprintd_grosshack.so
auth sufficient pam_unix.so try_first_pass nullok
account required pam_unix.so
# Authentication management.
auth required pam_deny.so
# Password management.
password sufficient pam_unix.so nullok yescrypt
# Session management.
session required pam_env.so conffile=/etc/pam/environment readenv=0
session required pam_unix.so
'';
login.text = ''
# Account management.
account required pam_unix.so
# Authentication management.
auth sufficient /root/lib/pam/pam_fprintd_grosshack.so
auth optional pam_unix.so nullok likeauth
auth optional /nix/store/21dqfghfa8b09ssvgja8l5bg7h5d9rzl-gnome-keyring-42.1/lib/security/pam_gnome_keyring.so
auth sufficient pam_unix.so try_first_pass nullok
auth required pam_deny.so
# Password management.
password sufficient pam_unix.so nullok yescrypt
password optional /nix/store/21dqfghfa8b09ssvgja8l5bg7h5d9rzl-gnome-keyring-42.1/lib/security/pam_gnome_keyring.so use_authtok
# Session management.
session required pam_env.so conffile=/etc/pam/environment readenv=0
session required pam_unix.so
session required pam_loginuid.so
session required /nix/store/4m8ab1p9y6ig31wniimlvsl23i9sazvp-linux-pam-1.5.2/lib/security/pam_lastlog.so silent
session optional /nix/store/8pbr7x6wh765mg43zs0p70gsaavmbbh7-systemd-253.3/lib/security/pam_systemd.so
session optional /nix/store/21dqfghfa8b09ssvgja8l5bg7h5d9rzl-gnome-keyring-42.1/lib/security/pam_gnome_keyring.so auto_start
'';
polkit-1.text = ''
# Account management.
account required pam_unix.so
# Authentication management.
auth sufficient /root/lib/pam/pam_fprintd_grosshack.so
auth sufficient pam_unix.so try_first_pass nullok
auth required pam_deny.so
# Password management.
password sufficient pam_unix.so nullok yescrypt
# Session management.
session required pam_env.so conffile=/etc/pam/environment readenv=0
session required pam_unix.so
'';
};
}
Reference in a new issue View git blame Copy permalink