2019-05-31 00:02:30 +00:00
|
|
|
{ config, pkgs, ... }:
|
|
|
|
|
2019-07-05 19:43:28 +00:00
|
|
|
let
|
|
|
|
fhs = pkgs.writeShellScriptBin "fhs"
|
2019-07-17 17:30:19 +00:00
|
|
|
("${pkgs.docker}/bin/docker run -v /home/user:/home/user -v /nix:/nix "+
|
2019-07-10 08:09:47 +00:00
|
|
|
"-e \"HOST_PWD=$PWD\" -it fhs");
|
2019-07-05 19:43:28 +00:00
|
|
|
in {
|
2019-05-31 00:02:30 +00:00
|
|
|
security.allowUserNamespaces = true;
|
|
|
|
security.allowSimultaneousMultithreading = true;
|
2019-11-19 16:31:28 +00:00
|
|
|
security.lockKernelModules = false;
|
2019-05-31 00:02:30 +00:00
|
|
|
|
|
|
|
programs.ssh.startAgent = false;
|
|
|
|
programs.gnupg = {
|
|
|
|
agent.enable = true;
|
|
|
|
agent.enableSSHSupport = true;
|
|
|
|
agent.enableExtraSocket = true;
|
|
|
|
agent.enableBrowserSocket = true;
|
|
|
|
dirmngr.enable = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
# Bus 001 Device 002: ID 1050:0404 Yubico.com Yubikey 4 CCID
|
|
|
|
services.udev = {
|
|
|
|
extraRules = ''
|
|
|
|
ACTION=="add|change", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0404", MODE="0666"
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd = {
|
|
|
|
services = {
|
|
|
|
"force-lock-after-suspend" = {
|
|
|
|
serviceConfig.User = "user";
|
2020-01-06 15:29:14 +00:00
|
|
|
description = "Force xsecurelock after suspend";
|
2019-05-31 00:02:30 +00:00
|
|
|
before = [ "suspend.target" "hibernate.target" "hybrid-sleep.target" ];
|
|
|
|
wantedBy = [ "suspend.target" "hibernate.target" "hybrid-sleep.target" ];
|
|
|
|
script = ''
|
2020-01-06 15:29:14 +00:00
|
|
|
DISPLAY=:0 ${pkgs.xsecurelock}/bin/xsecurelock
|
2019-05-31 00:02:30 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# Allow manage backlight without sudo
|
|
|
|
security.sudo = {
|
|
|
|
enable = true;
|
|
|
|
extraConfig = ''
|
|
|
|
%wheel ALL=(ALL:ALL) NOPASSWD: ${pkgs.light}/bin/light
|
2019-06-01 18:35:58 +00:00
|
|
|
%wheel ALL=(captive) NOPASSWD: ${pkgs.firefox}/bin/firefox
|
2019-07-05 19:43:28 +00:00
|
|
|
%wheel ALL=(root) NOPASSWD: ${fhs}/bin/fhs
|
2020-11-20 18:44:01 +00:00
|
|
|
%wheel ALL=(out-of-tree) NOPASSWD: ${pkgs.out-of-tree}/bin/out-of-tree
|
2019-05-31 00:02:30 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2019-09-05 16:03:51 +00:00
|
|
|
users.users.out-of-tree = {
|
|
|
|
home = "/var/out-of-tree";
|
2022-05-11 14:29:25 +00:00
|
|
|
group = "out-of-tree";
|
2021-10-07 13:46:24 +00:00
|
|
|
isSystemUser = true;
|
2019-09-05 16:03:51 +00:00
|
|
|
createHome = true;
|
|
|
|
extraGroups = [ "docker" "kvm" ];
|
|
|
|
};
|
2022-05-11 14:29:25 +00:00
|
|
|
users.groups.out-of-tree = {};
|
2019-09-05 16:03:51 +00:00
|
|
|
|
2019-06-01 18:35:58 +00:00
|
|
|
environment.systemPackages = with pkgs; [
|
2019-07-05 19:43:28 +00:00
|
|
|
(writeShellScriptBin "fhs" "sudo ${fhs}/bin/fhs")
|
2019-06-01 18:35:58 +00:00
|
|
|
(writeShellScriptBin "captive" "sudo -H -u captive ${pkgs.firefox}/bin/firefox")
|
2019-07-10 08:10:54 +00:00
|
|
|
(writeShellScriptBin "fhs-ptrace"
|
|
|
|
("sudo ${pkgs.docker}/bin/docker run -v /home/user:/home/user " +
|
|
|
|
"--cap-add=SYS_PTRACE --security-opt seccomp=unconfined" +
|
2019-07-17 17:30:19 +00:00
|
|
|
" -e \"HOST_PWD=$PWD\" -v /nix=/nix -it fhs"))
|
2019-09-05 16:03:51 +00:00
|
|
|
(writeShellScriptBin "out-of-tree"
|
2020-11-20 18:44:01 +00:00
|
|
|
"sudo -H -u out-of-tree ${pkgs.out-of-tree}/bin/out-of-tree $@")
|
2019-06-01 18:35:58 +00:00
|
|
|
];
|
|
|
|
|
2019-05-31 00:02:30 +00:00
|
|
|
security.wrappers = {
|
|
|
|
pmount.source = "${pkgs.pmount}/bin/pmount";
|
|
|
|
pumount.source = "${pkgs.pmount}/bin/pumount";
|
|
|
|
};
|
|
|
|
}
|