nixos/modules/services/security/physlock.nix at 17.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / security / physlock.nix
at 17.09-beta 2.6 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3with lib;
  4
  5let
  6  cfg = config.services.physlock;
  7in
  8
  9{
 10
 11  ###### interface
 12
 13  options = {
 14
 15    services.physlock = {
 16
 17      enable = mkOption {
 18        type = types.bool;
 19        default = false;
 20        description = ''
 21          Whether to enable the <command>physlock</command> screen locking mechanism.
 22
 23          Enable this and then run <command>systemctl start physlock</command>
 24          to securely lock the screen.
 25
 26          This will switch to a new virtual terminal, turn off console
 27          switching and disable SysRq mechanism (when
 28          <option>services.physlock.disableSysRq</option> is set)
 29          until the root or user password is given.
 30        '';
 31      };
 32
 33      disableSysRq = mkOption {
 34        type = types.bool;
 35        default = true;
 36        description = ''
 37          Whether to disable SysRq when locked with physlock.
 38        '';
 39      };
 40
 41      lockOn = {
 42
 43        suspend = mkOption {
 44          type = types.bool;
 45          default = true;
 46          description = ''
 47            Whether to lock screen with physlock just before suspend.
 48          '';
 49        };
 50
 51        hibernate = mkOption {
 52          type = types.bool;
 53          default = true;
 54          description = ''
 55            Whether to lock screen with physlock just before hibernate.
 56          '';
 57        };
 58
 59        extraTargets = mkOption {
 60          type = types.listOf types.str;
 61          default = [];
 62          example = [ "display-manager.service" ];
 63          description = ''
 64            Other targets to lock the screen just before.
 65
 66            Useful if you want to e.g. both autologin to X11 so that
 67            your <filename>~/.xsession</filename> gets executed and
 68            still to have the screen locked so that the system can be
 69            booted relatively unattended.
 70          '';
 71        };
 72
 73      };
 74
 75    };
 76
 77  };
 78
 79
 80  ###### implementation
 81
 82  config = mkIf cfg.enable {
 83
 84    # for physlock -l and physlock -L
 85    environment.systemPackages = [ pkgs.physlock ];
 86
 87    systemd.services."physlock" = {
 88      enable = true;
 89      description = "Physlock";
 90      wantedBy = optional cfg.lockOn.suspend   "suspend.target"
 91              ++ optional cfg.lockOn.hibernate "hibernate.target"
 92              ++ cfg.lockOn.extraTargets;
 93      before   = optional cfg.lockOn.suspend   "systemd-suspend.service"
 94              ++ optional cfg.lockOn.hibernate "systemd-hibernate.service"
 95              ++ cfg.lockOn.extraTargets;
 96      serviceConfig.Type = "forking";
 97      script = ''
 98        ${pkgs.physlock}/bin/physlock -d${optionalString cfg.disableSysRq "s"}
 99      '';
100    };
101
102  };
103
104}