nixos: add physlock service

9 years ago · 75ba6b553c
parent c8ea6c07c6
commit 75ba6b553c
2 changed files with 115 additions and 0 deletions
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -374,6 +374,7 @@
  ./services/security/haveged.nix
  ./services/security/hologram.nix
  ./services/security/munge.nix
+  ./services/security/physlock.nix
  ./services/security/torify.nix
  ./services/security/tor.nix
  ./services/security/torsocks.nix
--- a/nixos/modules/services/security/physlock.nix
+++ b/nixos/modules/services/security/physlock.nix
@ -0,0 +1,114 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.physlock;
+in
+
+{
+
+  ###### interface
+
+  options = {
+
+    services.physlock = {
+
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to enable the <command>physlock</command> screen locking mechanism.
+
+          Enable this and then run <command>systemctl start physlock</command>
+          to securely lock the screen.
+
+          This will switch to a new virtual terminal, turn off console
+          switching and disable SysRq mechanism (when
+          <option>services.physlock.disableSysRq</option> is set)
+          until the root or <option>services.physlock.user</option>
+          password is given.
+        '';
+      };
+
+      user = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          User whose password will be used to unlock the screen on par
+          with the root password.
+        '';
+      };
+
+      disableSysRq = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whether to disable SysRq when locked with physlock.
+        '';
+      };
+
+      lockOn = {
+
+        suspend = mkOption {
+          type = types.bool;
+          default = true;
+          description = ''
+            Whether to lock screen with physlock just before suspend.
+          '';
+        };
+
+        hibernate = mkOption {
+          type = types.bool;
+          default = true;
+          description = ''
+            Whether to lock screen with physlock just before hibernate.
+          '';
+        };
+
+        extraTargets = mkOption {
+          type = types.listOf types.str;
+          default = [];
+          example = [ "display-manager.service" ];
+          description = ''
+            Other targets to lock the screen just before.
+
+            Useful if you want to e.g. both autologin to X11 so that
+            your <filename>~/.xsession</filename> gets executed and
+            still to have the screen locked so that the system can be
+            booted relatively unattended.
+          '';
+        };
+
+      };
+
+    };
+
+  };
+
+
+  ###### implementation
+
+  config = mkIf cfg.enable {
+
+    # for physlock -l and physlock -L
+    environment.systemPackages = [ pkgs.physlock ];
+
+    systemd.services."physlock" = {
+      enable = true;
+      description = "Physlock";
+      wantedBy = optional cfg.lockOn.suspend   "suspend.target"
+              ++ optional cfg.lockOn.hibernate "hibernate.target"
+              ++ cfg.lockOn.extraTargets;
+      before   = optional cfg.lockOn.suspend   "systemd-suspend.service"
+              ++ optional cfg.lockOn.hibernate "systemd-hibernate.service"
+              ++ cfg.lockOn.extraTargets;
+      serviceConfig.Type = "forking";
+      script = ''
+        ${pkgs.physlock}/bin/physlock -d${optionalString cfg.disableSysRq "s"}${optionalString (cfg.user != null) " -u ${cfg.user}"}
+      '';
+    };
+
+  };
+
+}