grimm-nixos-laptop/common/security.nix

40 lines
1.1 KiB
Nix

{ pkgs, config, lib, inputs, system, ... }:
let
cfg = config.grimmShared;
in
{
config = with cfg; lib.mkIf enable {
security.polkit.enable = true;
networking.firewall.enable = lib.mkIf network true;
security.rtkit.enable = true;
security.doas.enable = true;
security.sudo.enable = false;
security.doas.extraRules = [{
users = lib.attrNames (lib.filterAttrs (n: v: v.isNormalUser) config.users.users);
keepEnv = true;
persist = true;
}];
environment.systemPackages = with pkgs; [
mkpasswd
gnupg
libsecret
vulnix
doas-sudo-shim # muscle memory
inputs.agenix.packages.${system}.default
] ++ lib.optionals (tooling.enable && tooling.pass) [
pass
(writeShellScriptBin "passw" "pass $@")
] ++ lib.optional graphical lxqt.lxqt-policykit;
services.passSecretService.enable = lib.mkIf (tooling.enable && tooling.pass) true;
programs.gnupg.agent = {
settings = {
# default-cache-ttl = 6000;
};
pinentryPackage = with pkgs; lib.mkForce (if graphical then pinentry-qt else pinentry-tty);
enable = true;
};
};
}