modules/nixos/system/authentication.nix at 395cef590986dd4a09764b027ee0611beab053c5 · dunkirk.sh/dots

dunkirk.sh / dots
Kieran's opinionated (and probably slightly dumb) nix config
dots / modules / nixos / system / authentication.nix
at 395cef590986dd4a09764b027ee0611beab053c5 3.4 kB view raw
 1{
 2  lib,
 3  config,
 4  pkgs,
 5  ...
 6}:
 7let
 8  cfg = config.atelier.authentication;
 9in
10{
11  options.atelier.authentication.enable = lib.mkEnableOption "Enable authentication stack (polkit, keyring, PAM with fprintd)";
12
13  config = lib.mkIf cfg.enable {
14    services.fprintd.enable = true;
15    security.polkit.enable = true;
16    services.gnome.gnome-keyring.enable = true;
17    programs.dconf.enable = true;
18
19    environment.systemPackages = [
20      pkgs.polkit_gnome
21      pkgs.fprintd
22    ];
23
24    systemd.user.services.polkit-gnome-authentication-agent-1 = {
25      description = "polkit-gnome-authentication-agent-1";
26      wantedBy = [ "graphical-session.target" ];
27      wants = [ "graphical-session.target" ];
28      after = [ "graphical-session.target" ];
29      serviceConfig = {
30        Type = "simple";
31        ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
32        Restart = "on-failure";
33        RestartSec = 1;
34        TimeoutStopSec = 10;
35      };
36    };
37
38    security.pam.services.hyprlock = lib.mkIf (config.services.fprintd.enable) {
39      text = ''
40        # Account management.
41        account required pam_unix.so # unix (order 10900)
42
43        # Authentication management.
44        auth sufficient pam_unix.so try_first_pass likeauth nullok
45        auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so
46        auth required pam_deny.so # deny
47
48        # Password management.
49        password sufficient pam_unix.so nullok yescrypt # unix
50
51        # Session management.
52        session required pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)
53        session required pam_unix.so # unix (order 10200)
54      '';
55    };
56
57    security.pam.services.sudo = lib.mkIf (config.services.fprintd.enable) {
58      text = ''
59        # Account management.
60        account required pam_unix.so # unix (order 10900)
61
62        # Authentication management.
63        auth sufficient pam_unix.so try_first_pass likeauth nullok
64        auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so
65        auth required pam_deny.so # deny
66
67        # Password management.
68        password sufficient pam_unix.so nullok yescrypt # unix
69
70        # Session management.
71        session required pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)
72        session required pam_unix.so # unix (order 10200)
73      '';
74    };
75
76    security.pam.services.su = lib.mkIf (config.services.fprintd.enable) {
77      text = ''
78        # Account management.
79        account required pam_unix.so # unix (order 10900)
80
81        # Authentication management.
82        auth sufficient pam_rootok.so # rootok (order 10200)
83        auth required pam_faillock.so # faillock (order 10400)
84        auth sufficient pam_unix.so try_first_pass likeauth nullok
85        auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so
86        auth required pam_deny.so # deny
87
88        # Password management.
89        password sufficient pam_unix.so nullok yescrypt # unix
90
91        # Session management.
92        session required pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)
93        session required pam_unix.so # unix (order 10200)
94        session required pam_unix.so # unix (order 10200)
95        session optional pam_xauth.so systemuser=99 xauthpath=${pkgs.xorg.xauth}/bin/xauth # xauth (order 12100)
96      '';
97    };
98  };
99}