2020-02-17 17:00:59 +04:00
|
|
|
|
{ config, pkgs, lib, ... }: {
|
|
|
|
|
security.apparmor.enable = true;
|
|
|
|
|
programs.firejail.enable = true;
|
|
|
|
|
users.mutableUsers = false;
|
|
|
|
|
users.users.balsoft = {
|
|
|
|
|
isNormalUser = true;
|
|
|
|
|
extraGroups = [
|
|
|
|
|
"sudo"
|
|
|
|
|
"wheel"
|
|
|
|
|
"networkmanager"
|
|
|
|
|
"disk"
|
|
|
|
|
"dbus"
|
|
|
|
|
"audio"
|
|
|
|
|
"docker"
|
|
|
|
|
"sound"
|
|
|
|
|
"pulse"
|
|
|
|
|
"adbusers"
|
|
|
|
|
"input"
|
|
|
|
|
"libvirtd"
|
|
|
|
|
"vboxusers"
|
|
|
|
|
"wireshark"
|
2020-12-24 16:19:24 +04:00
|
|
|
|
"lp"
|
|
|
|
|
"scanner"
|
2020-02-17 17:00:59 +04:00
|
|
|
|
];
|
|
|
|
|
description = "Александр Бантьев";
|
|
|
|
|
uid = 1000;
|
|
|
|
|
password = "";
|
|
|
|
|
};
|
|
|
|
|
|
2020-03-01 21:30:17 +04:00
|
|
|
|
systemd.services."user@" = { serviceConfig = { Restart = "always"; }; };
|
|
|
|
|
|
2020-03-01 21:49:41 +04:00
|
|
|
|
home-manager.users.balsoft.home.activation.yubi = {
|
2021-01-11 18:09:34 +04:00
|
|
|
|
data = ''
|
|
|
|
|
mkdir -p .config/Yubico
|
|
|
|
|
[ -f /home/balsoft/.config/Yubico/u2f_keys ] || (pamu2fcfg > /home/balsoft/.config/Yubico/u2f_keys)
|
|
|
|
|
'';
|
2020-03-01 21:49:41 +04:00
|
|
|
|
after = [ "linkGeneration" ];
|
|
|
|
|
before = [ ];
|
|
|
|
|
};
|
2020-02-17 17:00:59 +04:00
|
|
|
|
|
2020-03-01 21:30:17 +04:00
|
|
|
|
services.udev.extraRules = ''
|
2020-03-02 01:17:01 +04:00
|
|
|
|
ACTION=="remove", ATTRS{idVendor}=="1050", RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
|
2020-03-02 00:56:51 +04:00
|
|
|
|
'';
|
2020-03-02 13:46:59 +04:00
|
|
|
|
|
2020-03-02 13:58:15 +04:00
|
|
|
|
services.mingetty.autologinUser = "balsoft";
|
|
|
|
|
|
2020-03-02 14:08:05 +04:00
|
|
|
|
environment.loginShellInit = ''
|
|
|
|
|
[[ "$(tty)" == /dev/tty? ]] && sudo /run/current-system/sw/bin/lock this
|
|
|
|
|
[[ "$(tty)" == /dev/tty1 ]] && sway
|
|
|
|
|
'';
|
2020-03-02 13:58:15 +04:00
|
|
|
|
|
2020-03-01 20:12:07 +04:00
|
|
|
|
security.pam.u2f = {
|
2020-03-01 23:02:26 +04:00
|
|
|
|
control = "sufficient";
|
2020-03-01 20:12:07 +04:00
|
|
|
|
cue = true;
|
|
|
|
|
enable = true;
|
|
|
|
|
};
|
2020-03-01 22:10:51 +04:00
|
|
|
|
|
2020-03-02 13:58:15 +04:00
|
|
|
|
environment.systemPackages = [
|
2020-03-02 14:02:04 +04:00
|
|
|
|
(pkgs.writeShellScriptBin "lock" ''
|
2021-01-11 18:09:34 +04:00
|
|
|
|
set -euo pipefail
|
2020-03-02 14:02:04 +04:00
|
|
|
|
if [[ "$1" == this ]]
|
|
|
|
|
then args="-s"
|
|
|
|
|
else args="-san"
|
|
|
|
|
fi
|
2021-01-11 18:09:34 +04:00
|
|
|
|
${lib.optionalString (config.deviceSpecific.isLaptop) ''USER=balsoft ${pkgs.vlock}/bin/vlock "$args"''}
|
2020-03-02 14:02:04 +04:00
|
|
|
|
'')
|
2020-03-02 13:58:15 +04:00
|
|
|
|
];
|
|
|
|
|
|
2020-03-01 22:59:49 +04:00
|
|
|
|
security.pam.services = builtins.listToAttrs (builtins.map (name: {
|
|
|
|
|
inherit name;
|
|
|
|
|
value = { unixAuth = false; };
|
|
|
|
|
}) [
|
|
|
|
|
"chpasswd"
|
|
|
|
|
"chsh"
|
|
|
|
|
"groupadd"
|
|
|
|
|
"groupdel"
|
|
|
|
|
"groupmems"
|
|
|
|
|
"groupmod"
|
|
|
|
|
"i3lock"
|
|
|
|
|
"i3lock-color"
|
|
|
|
|
"login"
|
|
|
|
|
"passwd"
|
|
|
|
|
"polkit-1"
|
|
|
|
|
"runuser"
|
|
|
|
|
"runuser-l"
|
|
|
|
|
"su"
|
|
|
|
|
"sudo"
|
|
|
|
|
"swaylock"
|
|
|
|
|
"systemd-user"
|
|
|
|
|
"useradd"
|
|
|
|
|
"userdel"
|
|
|
|
|
"usermod"
|
|
|
|
|
"vlock"
|
|
|
|
|
"xlock"
|
|
|
|
|
"xscreensaver"
|
|
|
|
|
]);
|
2020-03-01 22:10:51 +04:00
|
|
|
|
|
2020-02-17 17:00:59 +04:00
|
|
|
|
security.sudo = {
|
|
|
|
|
enable = true;
|
|
|
|
|
extraConfig = ''
|
2020-03-02 13:58:15 +04:00
|
|
|
|
balsoft ALL = (root) NOPASSWD: /run/current-system/sw/bin/lock
|
2020-03-02 14:02:04 +04:00
|
|
|
|
balsoft ALL = (root) NOPASSWD: /run/current-system/sw/bin/lock this
|
2020-02-17 17:00:59 +04:00
|
|
|
|
balsoft ALL = (root) NOPASSWD: ${pkgs.light}/bin/light -A 5
|
|
|
|
|
balsoft ALL = (root) NOPASSWD: ${pkgs.light}/bin/light -U 5
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
home-manager.useUserPackages = true;
|
|
|
|
|
}
|