pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / security / physlock.nix
at 23.11-pre 4.0 kB view raw
1{ config, lib, pkgs, ... }: 2 3with lib; 4 5let 6 cfg = config.services.physlock; 7in 8 9{ 10 11 ###### interface 12 13 options = { 14 15 services.physlock = { 16 17 enable = mkOption { 18 type = types.bool; 19 default = false; 20 description = lib.mdDoc '' 21 Whether to enable the {command}`physlock` screen locking mechanism. 22 23 Enable this and then run {command}`systemctl start physlock` 24 to securely lock the screen. 25 26 This will switch to a new virtual terminal, turn off console 27 switching and disable SysRq mechanism (when 28 {option}`services.physlock.disableSysRq` is set) 29 until the root or user password is given. 30 ''; 31 }; 32 33 allowAnyUser = mkOption { 34 type = types.bool; 35 default = false; 36 description = lib.mdDoc '' 37 Whether to allow any user to lock the screen. This will install a 38 setuid wrapper to allow any user to start physlock as root, which 39 is a minor security risk. Call the physlock binary to use this instead 40 of using the systemd service. 41 ''; 42 }; 43 44 disableSysRq = mkOption { 45 type = types.bool; 46 default = true; 47 description = lib.mdDoc '' 48 Whether to disable SysRq when locked with physlock. 49 ''; 50 }; 51 52 lockMessage = mkOption { 53 type = types.str; 54 default = ""; 55 description = lib.mdDoc '' 56 Message to show on physlock login terminal. 57 ''; 58 }; 59 60 muteKernelMessages = mkOption { 61 type = types.bool; 62 default = false; 63 description = lib.mdDoc '' 64 Disable kernel messages on console while physlock is running. 65 ''; 66 }; 67 68 lockOn = { 69 70 suspend = mkOption { 71 type = types.bool; 72 default = true; 73 description = lib.mdDoc '' 74 Whether to lock screen with physlock just before suspend. 75 ''; 76 }; 77 78 hibernate = mkOption { 79 type = types.bool; 80 default = true; 81 description = lib.mdDoc '' 82 Whether to lock screen with physlock just before hibernate. 83 ''; 84 }; 85 86 extraTargets = mkOption { 87 type = types.listOf types.str; 88 default = []; 89 example = [ "display-manager.service" ]; 90 description = lib.mdDoc '' 91 Other targets to lock the screen just before. 92 93 Useful if you want to e.g. both autologin to X11 so that 94 your {file}`~/.xsession` gets executed and 95 still to have the screen locked so that the system can be 96 booted relatively unattended. 97 ''; 98 }; 99 100 }; 101 102 }; 103 104 }; 105 106 107 ###### implementation 108 109 config = mkIf cfg.enable (mkMerge [ 110 { 111 112 # for physlock -l and physlock -L 113 environment.systemPackages = [ pkgs.physlock ]; 114 115 systemd.services.physlock = { 116 enable = true; 117 description = "Physlock"; 118 wantedBy = optional cfg.lockOn.suspend "suspend.target" 119 ++ optional cfg.lockOn.hibernate "hibernate.target" 120 ++ cfg.lockOn.extraTargets; 121 before = optional cfg.lockOn.suspend "systemd-suspend.service" 122 ++ optional cfg.lockOn.hibernate "systemd-hibernate.service" 123 ++ optional (cfg.lockOn.hibernate || cfg.lockOn.suspend) "systemd-suspend-then-hibernate.service" 124 ++ cfg.lockOn.extraTargets; 125 serviceConfig = { 126 Type = "forking"; 127 ExecStart = "${pkgs.physlock}/bin/physlock -d${optionalString cfg.muteKernelMessages "m"}${optionalString cfg.disableSysRq "s"}${optionalString (cfg.lockMessage != "") " -p \"${cfg.lockMessage}\""}"; 128 }; 129 }; 130 131 security.pam.services.physlock = {}; 132 133 } 134 135 (mkIf cfg.allowAnyUser { 136 137 security.wrappers.physlock = 138 { setuid = true; 139 owner = "root"; 140 group = "root"; 141 source = "${pkgs.physlock}/bin/physlock"; 142 }; 143 144 }) 145 ]); 146 147}