76 lines
2.0 KiB
Nix
76 lines
2.0 KiB
Nix
{ config, pkgs, lib, ... }: {
|
||
security.apparmor.enable = true;
|
||
programs.firejail.enable = true;
|
||
users.mutableUsers = false;
|
||
users.users.balsoft = {
|
||
isNormalUser = true;
|
||
extraGroups = [
|
||
"sudo"
|
||
"wheel"
|
||
"networkmanager"
|
||
"disk"
|
||
"dbus"
|
||
"audio"
|
||
"docker"
|
||
"sound"
|
||
"pulse"
|
||
"adbusers"
|
||
"input"
|
||
"libvirtd"
|
||
"vboxusers"
|
||
"wireshark"
|
||
];
|
||
description = "Александр Бантьев";
|
||
uid = 1000;
|
||
password = "";
|
||
};
|
||
|
||
systemd.services."user@" = { serviceConfig = { Restart = "always"; }; };
|
||
|
||
home-manager.users.balsoft.home.activation.yubi = {
|
||
data =
|
||
"[ -s /home/balsoft/.config/Yubico/u2f_keys ] || (pamu2fcfg > /home/balsoft/.config/Yubico/u2f_keys)";
|
||
after = [ "linkGeneration" ];
|
||
before = [ ];
|
||
};
|
||
home-manager.users.balsoft.home.sessionVariables.XDG_RUNTIME_DIR =
|
||
"/run/user/1000";
|
||
|
||
services.udev.extraRules = ''
|
||
ACTION=="remove", ATTRS{idVendor}=="1050", RUN+="${
|
||
pkgs.writeShellScript "lock-system"
|
||
"/run/wrappers/bin/sudo -u balsoft XDG_RUNTIME_DIR=/run/user/1000/ ${pkgs.swaylock}/bin/swaylock -f -c ${
|
||
builtins.substring 1 7 config.themes.colors.bg
|
||
}"
|
||
}"'';
|
||
security.pam.u2f = {
|
||
control = "sufficient";
|
||
cue = true;
|
||
enable = true;
|
||
};
|
||
|
||
security.pam.services.default = {
|
||
unixAuth = false;
|
||
text = lib.mkAfter ''
|
||
auth required pam_warn.so
|
||
auth required pam_deny.so
|
||
account required pam_warn.so
|
||
account required pam_deny.so
|
||
password required pam_warn.so
|
||
password required pam_deny.so
|
||
session required pam_warn.so
|
||
session required pam_deny.so
|
||
'';
|
||
};
|
||
|
||
security.sudo = {
|
||
enable = true;
|
||
extraConfig = ''
|
||
balsoft ALL = (root) NOPASSWD: ${pkgs.light}/bin/light -A 5
|
||
balsoft ALL = (root) NOPASSWD: ${pkgs.light}/bin/light -U 5
|
||
'';
|
||
};
|
||
nix.requireSignedBinaryCaches = false;
|
||
home-manager.useUserPackages = true;
|
||
}
|