nixos-configs/modules/desktop/environment/modules/security.nix
matt1432 49dc072b81
All checks were successful
Discord / discord commits (push) Has been skipped
refactor(modules): make sure nothing is added without setting enable
2025-01-04 19:02:30 -05:00

105 lines
2.4 KiB
Nix

self: {
config,
lib,
pkgs,
...
}: let
inherit (self.lib.hypr) mkBind;
inherit (lib) getExe map mkIf;
cfg = config.roles.desktop;
hmCfg = config.home-manager.users.${cfg.user};
hyprPkg = hmCfg.wayland.windowManager.hyprland.finalPackage;
# See modules/ags/packages.nix
lockPkg = hmCfg.programs.ags.lockPkg;
runInDesktop = pkgs.writeShellApplication {
name = "runInDesktop";
runtimeInputs = [
pkgs.sudo
hyprPkg
];
text = ''
params=( "$@" )
user="$(id -u ${cfg.user})"
readarray -t SIGS <<< "$(ls "/run/user/$user/hypr/")"
run() {
export HYPRLAND_INSTANCE_SIGNATURE="$1"
sudo -Eu ${cfg.user} hyprctl dispatch exec "''${params[@]}"
}
i=0
while ! run "''${SIGS[$i]}"; do
((i+=1))
done
'';
};
in {
config = mkIf cfg.enable {
services.acpid = mkIf cfg.isLaptop {
enable = true;
lidEventCommands =
# bash
''
LID="/proc/acpi/button/lid/LID/state"
state=$(${pkgs.gawk}/bin/awk '{print $2}' "$LID")
case "$state" in
*open*)
${getExe runInDesktop} "${getExe lockPkg} request 'authFinger()'"
;;
*close*)
${getExe runInDesktop} "${getExe lockPkg}"
;;
*)
logger -t lid-handler "Failed to detect lid state ($state)"
;;
esac
'';
};
home-manager.users.${cfg.user} = {
home.packages = [
pkgs.seahorse
lockPkg
];
wayland.windowManager.hyprland.settings = {
exec-once = [
"gnome-keyring-daemon --start --components=secrets"
"${pkgs.plasma5Packages.polkit-kde-agent}/libexec/polkit-kde-authentication-agent-1"
];
windowrule = [
"float,^(org.kde.polkit-kde-authentication-agent-1)$"
"size 741 288,^(org.kde.polkit-kde-authentication-agent-1)$"
"center,^(org.kde.polkit-kde-authentication-agent-1)$"
# For GParted auth
"size 741 288,^(org.kde.ksshaskpass)$"
"move cursor -370 -144,^(org.kde.ksshaskpass)$"
];
bind = map mkBind [
{
modifier = "$mainMod";
key = "L";
command = getExe lockPkg;
}
];
};
};
};
# For accurate stack trace
_file = ./security.nix;
}