grimm-nixos-laptop/common/tooling/security.nix

104 lines
2.5 KiB
Nix
Raw Normal View History

2024-05-07 23:31:41 +02:00
{
pkgs,
config,
lib,
2024-11-30 10:47:40 +01:00
inputs,
system,
2024-05-07 23:31:41 +02:00
...
}:
2024-04-13 19:16:33 +02:00
let
2024-05-11 22:55:59 +02:00
inherit (config.grimmShared) enable tooling graphical;
inherit (lib)
optional
optionals
filterAttrs
mkForce
mkIf
attrNames
mkEnableOption
;
2024-11-30 10:47:40 +01:00
age_plugins = with pkgs; [ age-plugin-yubikey ];
2024-04-13 19:16:33 +02:00
in
{
2024-05-11 22:55:59 +02:00
config = mkIf enable {
security.polkit.enable = true;
security.rtkit.enable = true;
2024-04-13 19:16:33 +02:00
2024-05-25 23:14:08 +02:00
security.pam.yubico = {
2024-06-13 22:56:30 +02:00
enable = true;
id = [ "26681512" ];
# debug = true;
2024-05-25 23:14:08 +02:00
mode = "challenge-response";
2024-09-21 09:43:57 +02:00
control = lib.mkDefault "sufficient";
2024-05-25 23:14:08 +02:00
};
2024-09-21 09:43:57 +02:00
# security.doas.enable = true;
security.sudo.enable = true;
2024-11-26 19:20:10 +01:00
2024-05-11 22:55:59 +02:00
security.doas.extraRules = [
{
users = attrNames (filterAttrs (n: v: v.isNormalUser) config.users.users);
keepEnv = true;
persist = true;
}
];
2024-04-13 19:16:33 +02:00
2024-11-30 10:47:40 +01:00
services.pcscd.enable = true;
age.ageBin =
let
rage_wrapped = pkgs.symlinkJoin {
name = "rage";
paths = [ pkgs.rage ];
buildInputs = [ pkgs.makeWrapper ];
postBuild = ''
wrapProgram $out/bin/rage \
--prefix PATH : ${lib.makeBinPath age_plugins}
'';
};
in
lib.getExe' rage_wrapped "rage";
programs.yubikey-touch-detector.enable = graphical;
2024-12-23 17:45:20 +01:00
services.yubikey-agent.enable = true;
2024-11-30 10:47:40 +01:00
2024-05-11 22:55:59 +02:00
environment.systemPackages =
(with pkgs; [
mkpasswd
2024-12-23 17:45:20 +01:00
# gnupg
2024-05-11 22:55:59 +02:00
libsecret
vulnix
2024-11-30 10:47:40 +01:00
(inputs.agenix.packages."${system}".default.override { plugins = age_plugins; })
2024-06-13 22:56:30 +02:00
yubikey-manager
yubico-pam
yubikey-personalization
2024-05-11 22:55:59 +02:00
])
2024-11-30 10:47:40 +01:00
++ age_plugins
2024-09-21 09:43:57 +02:00
++ (optionals (tooling.enable && tooling.pass) [
2024-05-11 22:55:59 +02:00
pkgs.pass
(pkgs.writeShellScriptBin "passw" "pass $@")
2024-09-21 09:43:57 +02:00
])
++ (optional config.security.doas.enable pkgs.sudo-doas-shim)
++ (optional graphical pkgs.lxqt.lxqt-policykit);
2024-04-13 19:16:33 +02:00
2024-05-11 22:55:59 +02:00
services.passSecretService.enable = mkIf (tooling.enable && tooling.pass) true;
2024-07-02 20:04:55 +02:00
services.openssh.settings.LoginGraceTime = 0;
2024-12-23 17:45:20 +01:00
# programs.gnupg.agent = {
# settings = {
# # default-cache-ttl = 6000;
# };
# pinentryPackage = mkForce (if graphical then pkgs.pinentry-qt else pkgs.pinentry-tty);
# enable = true;
# enableSSHSupport = true;
# };
2024-09-21 09:43:57 +02:00
2024-11-26 19:20:10 +01:00
grimmShared.firefox.plugins = mkIf (tooling.enable && tooling.pass) {
"passff@invicem.pro" = "passff";
};
2024-05-11 22:55:59 +02:00
};
2024-05-11 22:55:59 +02:00
options.grimmShared.tooling.pass = mkEnableOption "Enables password-store, gnupg and such secret handling";
2024-04-13 19:16:33 +02:00
}