grimm-nixos-laptop/hardening/security.nix
2025-01-10 12:50:01 +01:00

97 lines
2.3 KiB
Nix

{
pkgs,
config,
lib,
inputs,
system,
...
}:
let
inherit (lib)
optional
filterAttrs
mkDefault
attrNames
;
age_plugins = with pkgs; [ age-plugin-yubikey ];
in
{
config = {
security.polkit.enable = mkDefault true;
security.rtkit.enable = true;
security.pam.yubico = {
enable = true;
id = [ "26681512" ];
# debug = true;
mode = "challenge-response";
control = lib.mkDefault "sufficient";
};
# security.doas.enable = true;
security.sudo.enable = mkDefault true;
security.sudo.execWheelOnly = true;
security.doas.extraRules = [
{
users = attrNames (filterAttrs (n: v: v.isNormalUser) config.users.users);
keepEnv = true;
persist = true;
}
];
services.pcscd.enable = true;
age.ageBin =
let
rage_wrapped = pkgs.symlinkJoin {
name = "rage";
paths = [ pkgs.rage ];
buildInputs = [ pkgs.makeWrapper ];
postBuild = ''
wrapProgram $out/bin/rage \
--prefix PATH : ${lib.makeBinPath age_plugins}
'';
};
in
lib.getExe' rage_wrapped "rage";
programs.yubikey-touch-detector.enable = config.programs.sway.enable;
services.yubikey-agent.enable = true;
environment.systemPackages =
(with pkgs; [
mkpasswd
# gnupg
libsecret
vulnix
(inputs.agenix.packages."${system}".default.override { plugins = age_plugins; })
yubikey-manager
yubico-pam
yubikey-personalization
pkgs.pass
])
++ age_plugins
++ (optional config.security.doas.enable pkgs.sudo-doas-shim);
# ++ (optional graphical pkgs.lxqt.lxqt-policykit);
services.passSecretService.enable = true;
services.openssh.settings.LoginGraceTime = 0;
# programs.gnupg.agent = {
# settings = {
# # default-cache-ttl = 6000;
# };
# pinentryPackage = mkForce (if graphical then pkgs.pinentry-qt else pkgs.pinentry-tty);
# enable = true;
# enableSSHSupport = true;
# };
grimmShared.firefox.plugins = {
"passff@invicem.pro" = "passff";
};
programs.firefox.nativeMessagingHosts.packages = [ pkgs.passff-host ];
};
}