nixos/fragments/security.nix at main · wiro.world/dotfiles

wiro.world / dotfiles

yep, more dotfiles

dotfiles / nixos / fragments / security.nix

at main 1.4 kB view raw

 1{ config
 2, lib
 3, ...
 4}:
 5
 6let
 7  cfg = config.local.fragment.security;
 8in
 9{
10  options.local.fragment.security.enable = lib.mkEnableOption ''
11    Security related
12  '';
13
14  config = lib.mkIf cfg.enable {
15    # Sudo
16    security.sudo.enable = false;
17    security.sudo-rs.enable = true;
18
19    # Security Kits
20    security.polkit.enable = true;
21    security.rtkit.enable = true;
22
23    # Systemd Login
24    services.logind.settings.Login = {
25      HandleLidSwitch = "suspend";
26      IdleAction = "lock";
27      # Don’t shutdown when power button is short-pressed
28      HandlePowerKey = "lock";
29      HandlePowerKeyLongPress = "suspend";
30    };
31
32    # `swaylock` pam service must be at least declared to work properly
33    security.pam.services."swaylock" = { nodelay = true; failDelay = { enable = true; delay = 500000; }; };
34
35    # reduce sudo fail delay to half a second
36    security.pam.services."sudo" = { nodelay = true; failDelay = { enable = true; delay = 500000; }; };
37
38    # Signing
39    programs.gnupg.agent.enable = true;
40    services.gnome.gnome-keyring.enable = true;
41    services.gnome.gcr-ssh-agent.enable = false;
42
43    # SSH
44    services.openssh = {
45      enable = true;
46      settings = {
47        PermitRootLogin = "no";
48        PasswordAuthentication = false;
49      };
50    };
51
52    programs.ssh.startAgent = true;
53
54    services.fwupd.enable = true;
55  };
56}