wiro.world / dotfiles
yep, more dotfiles
fork atom
dotfiles / nixos / fragments / security.nix
at 74d7e98b87a0719b742c12aa4e991a3ee4e8f403 1.4 kB view raw
1{ config 2, lib 3, ... 4}: 5 6let 7 cfg = config.local.fragment.security; 8in 9{ 10 options.local.fragment.security.enable = lib.mkEnableOption '' 11 Security related 12 ''; 13 14 config = lib.mkIf cfg.enable { 15 # Sudo 16 security.sudo.enable = false; 17 security.sudo-rs.enable = true; 18 19 # Security Kits 20 security.polkit.enable = true; 21 security.rtkit.enable = true; 22 23 # Systemd Login 24 services.logind = { 25 lidSwitch = "suspend"; 26 extraConfig = lib.generators.toKeyValue { } { 27 IdleAction = "lock"; 28 # Don’t shutdown when power button is short-pressed 29 HandlePowerKey = "lock"; 30 HandlePowerKeyLongPress = "suspend"; 31 }; 32 }; 33 34 # `swaylock` pam service must be at least declared to work properly 35 security.pam.services."swaylock" = { nodelay = true; failDelay = { enable = true; delay = 500000; }; }; 36 37 # reduce sudo fail delay to half a second 38 security.pam.services."sudo" = { nodelay = true; failDelay = { enable = true; delay = 500000; }; }; 39 40 # Signing 41 programs.gnupg.agent.enable = true; 42 services.gnome.gnome-keyring.enable = true; 43 44 # SSH 45 services.openssh = { 46 enable = true; 47 settings = { 48 PermitRootLogin = "no"; 49 PasswordAuthentication = false; 50 }; 51 }; 52 53 programs.ssh.startAgent = true; 54 55 services.fwupd.enable = true; 56 }; 57}