grimm-nixos-laptop/common/tooling/security.nix

68 lines
1.5 KiB
Nix
Raw Normal View History

2024-05-07 23:31:41 +02:00
{
pkgs,
config,
lib,
...
}:
2024-04-13 19:16:33 +02:00
let
2024-05-11 22:55:59 +02:00
inherit (config.grimmShared) enable tooling graphical;
inherit (lib)
optional
optionals
filterAttrs
mkForce
mkIf
attrNames
mkEnableOption
;
2024-04-13 19:16:33 +02:00
in
{
2024-05-11 22:55:59 +02:00
config = mkIf enable {
security.polkit.enable = true;
security.rtkit.enable = true;
2024-04-13 19:16:33 +02:00
2024-05-25 23:14:08 +02:00
security.pam.yubico = {
# enable = true;
debug = true;
mode = "challenge-response";
control = "sufficient";
};
2024-05-11 22:55:59 +02:00
security.doas.enable = true;
security.sudo.enable = false;
security.doas.extraRules = [
{
users = attrNames (filterAttrs (n: v: v.isNormalUser) config.users.users);
keepEnv = true;
persist = true;
}
];
2024-04-13 19:16:33 +02:00
2024-05-11 22:55:59 +02:00
environment.systemPackages =
(with pkgs; [
mkpasswd
gnupg
libsecret
vulnix
doas-sudo-shim # muscle memory
agenix
])
++ optionals (tooling.enable && tooling.pass) [
pkgs.pass
(pkgs.writeShellScriptBin "passw" "pass $@")
]
++ optional graphical pkgs.lxqt.lxqt-policykit;
2024-04-13 19:16:33 +02:00
2024-05-11 22:55:59 +02:00
services.passSecretService.enable = mkIf (tooling.enable && tooling.pass) true;
programs.gnupg.agent = {
settings = {
# default-cache-ttl = 6000;
2024-04-13 19:16:33 +02:00
};
2024-05-11 22:55:59 +02:00
pinentryPackage = mkForce (if graphical then pkgs.pinentry-qt else pkgs.pinentry-tty);
enable = true;
2024-04-13 19:16:33 +02:00
};
2024-05-11 22:55:59 +02:00
};
2024-05-11 22:55:59 +02:00
options.grimmShared.tooling.pass = mkEnableOption "Enables password-store, gnupg and such secret handling";
2024-04-13 19:16:33 +02:00
}