pyrox.dev / nixpkgs
lol
fork atom

physlock: add allowAnyUser option

Silvan Mosberger cfd22b73 9a5fe79d

options
unified split
Changed files
+41 -19
nixos
modules
services
security
physlock.nix
+41 -19
nixos/modules/services/security/physlock.nix 
···

       
30

       
 

       
        '';


     

       
31

       
 

       
      };


     

       
32

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
33

       
 

       
      disableSysRq = mkOption {


     

       
34

       
 

       
        type = types.bool;


     

       
35

       
 

       
        default = true;


     
···

       
79

       
 

       



     

       
80

       
 

       
  ###### implementation


     

       
81

       
 

       



     

       
82

       
-

       
  config = mkIf cfg.enable {


     

       

       

       
     

       
83

       
 

       



     

       
84

       
-

       
    # for physlock -l and physlock -L


     

       
85

       
-

       
    environment.systemPackages = [ pkgs.physlock ];


     

       
86

       
 

       



     

       
87

       
-

       
    systemd.services."physlock" = {


     

       
88

       
-

       
      enable = true;


     

       
89

       
-

       
      description = "Physlock";


     

       
90

       
-

       
      wantedBy = optional cfg.lockOn.suspend   "suspend.target"


     

       
91

       
-

       
              ++ optional cfg.lockOn.hibernate "hibernate.target"


     

       
92

       
-

       
              ++ cfg.lockOn.extraTargets;


     

       
93

       
-

       
      before   = optional cfg.lockOn.suspend   "systemd-suspend.service"


     

       
94

       
-

       
              ++ optional cfg.lockOn.hibernate "systemd-hibernate.service"


     

       
95

       
-

       
              ++ cfg.lockOn.extraTargets;


     

       
96

       
-

       
      serviceConfig.Type = "forking";


     

       
97

       
-

       
      script = ''


     

       
98

       
-

       
        ${pkgs.physlock}/bin/physlock -d${optionalString cfg.disableSysRq "s"}


     

       
99

       
-

       
      '';


     

       
100

       
-

       
    };


     

       
101

       
 

       



     

       
102

       
-

       
    security.pam.services.physlock = {};


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
103

       
 

       



     

       
104

       
-

       
  };


     

       

       

       
     

       
105

       
 

       



     

       
106

       
 

       
}


     
···

       
30

       
 

       
        '';


     

       
31

       
 

       
      };


     

       
32

       
 

       



     

       
33

       
+

       
      allowAnyUser = mkOption {


     

       
34

       
+

       
        type = types.bool;


     

       
35

       
+

       
        default = false;


     

       
36

       
+

       
        description = ''


     

       
37

       
+

       
          Whether to allow any user to lock the screen. This will install a


     

       
38

       
+

       
          setuid wrapper to allow any user to start physlock as root, which


     

       
39

       
+

       
          is a minor security risk. Call the physlock binary to use this instead


     

       
40

       
+

       
          of using the systemd service.


     

       
41

       
+

       



     

       
42

       
+

       
          Note that you might need to relog to have the correct binary in your


     

       
43

       
+

       
          PATH upon changing this option.


     

       
44

       
+

       
        '';


     

       
45

       
+

       
      };


     

       
46

       
+

       



     

       
47

       
 

       
      disableSysRq = mkOption {


     

       
48

       
 

       
        type = types.bool;


     

       
49

       
 

       
        default = true;


     
···

       
93

       
 

       



     

       
94

       
 

       
  ###### implementation


     

       
95

       
 

       



     

       
96

       
+

       
  config = mkIf cfg.enable (mkMerge [


     

       
97

       
+

       
    {


     

       
98

       
 

       



     

       
99

       
+

       
      # for physlock -l and physlock -L


     

       
100

       
+

       
      environment.systemPackages = [ pkgs.physlock ];


     

       
101

       
 

       



     

       
102

       
+

       
      systemd.services."physlock" = {


     

       
103

       
+

       
        enable = true;


     

       
104

       
+

       
        description = "Physlock";


     

       
105

       
+

       
        wantedBy = optional cfg.lockOn.suspend   "suspend.target"


     

       
106

       
+

       
                ++ optional cfg.lockOn.hibernate "hibernate.target"


     

       
107

       
+

       
                ++ cfg.lockOn.extraTargets;


     

       
108

       
+

       
        before   = optional cfg.lockOn.suspend   "systemd-suspend.service"


     

       
109

       
+

       
                ++ optional cfg.lockOn.hibernate "systemd-hibernate.service"


     

       
110

       
+

       
                ++ cfg.lockOn.extraTargets;


     

       
111

       
+

       
        serviceConfig = {


     

       
112

       
+

       
          Type = "forking";


     

       
113

       
+

       
          ExecStart = "${pkgs.physlock}/bin/physlock -d${optionalString cfg.disableSysRq "s"}";


     

       
114

       
+

       
        };


     

       
115

       
+

       
      };


     

       
116

       
 

       



     

       
117

       
+

       
      security.pam.services.physlock = {};


     

       
118

       
+

       



     

       
119

       
+

       
    }


     

       
120

       
+

       



     

       
121

       
+

       
    (mkIf cfg.allowAnyUser {


     

       
122

       
+

       



     

       
123

       
+

       
      security.wrappers.physlock = { source = "${pkgs.physlock}/bin/physlock"; user = "root"; };


     

       
124

       
 

       



     

       
125

       
+

       
    })


     

       
126

       
+

       
  ]);


     

       
127

       
 

       



     

       
128

       
 

       
}