system/modules/security.nix

{ pkgs, ... }:
{
  security = {
    polkit = {
      enable = true;
      debug = true;
      extraConfig = ''
        polkit.addRule(function (action, subject) {
          if (
            subject.isInGroup("users") &&
            [
              "org.freedesktop.login1.reboot",
              "org.freedesktop.login1.reboot-multiple-sessions",
              "org.freedesktop.login1.power-off",
              "org.freedesktop.login1.power-off-multiple-sessions",
            ].indexOf(action.id) !== -1
          ) {
            return polkit.Result.YES;
          }
        });
        polkit.addRule(function(action, subject) {
          var YES = polkit.Result.YES;
          var permission = {
            // required for udisks1:
            "org.freedesktop.udisks.filesystem-mount": YES,
            "org.freedesktop.udisks.luks-unlock": YES,
            "org.freedesktop.udisks.drive-eject": YES,
            "org.freedesktop.udisks.drive-detach": YES,
            // required for udisks2:
            "org.freedesktop.udisks2.filesystem-mount": YES,
            "org.freedesktop.udisks2.encrypted-unlock": YES,
            "org.freedesktop.udisks2.eject-media": YES,
            "org.freedesktop.udisks2.power-off-drive": YES,
            // required for udisks2 if using udiskie from another seat (e.g. systemd):
            "org.freedesktop.udisks2.filesystem-mount-other-seat": YES,
            "org.freedesktop.udisks2.filesystem-unmount-others": YES,
            "org.freedesktop.udisks2.encrypted-unlock-other-seat": YES,
            "org.freedesktop.udisks2.encrypted-unlock-system": YES,
            "org.freedesktop.udisks2.eject-media-other-seat": YES,
            "org.freedesktop.udisks2.power-off-drive-other-seat": YES
          };
          if (subject.isInGroup("storage")) {
            return permission[action.id];
          };
        });
        polkit.addRule(function(action, subject) {
          if (action.id == "org.kde.kio.admin.commands" && subject.isInGroup("wheel")) {
            return polkit.Result.YES; // No password prompt!
          }
        });
        polkit.addRule(function(action, subject) {
          // Make sure to set { security.polkit.debug = true; } in configuration.nix
          polkit.log("user " +  subject.user + " is attempting action " + action.id + " from PID " + subject.pid);
        });
      '';
      adminIdentities = [
        "unix-group:wheel"
      ];
    };

    pam.services = {
       login.kwallet = {
         enable = true;
         package = pkgs.kdePackages.kwallet-pam;
       };
      sddm = {
        enableKwallet = true;
        text = ''
          # Enable pam_kwallet5 for sddm
          auth      optional      pam_kwallet5.so
          session   optional      pam_kwallet5.so auto_start
        '';
        };
      };

    rtkit.enable = true;

    sudo = {
      enable = true;
      extraConfig = ''
        %wheel ALL=(ALL) NOPASSWD: ${pkgs.input-remapper}/bin/input-remapper-service
        %wheel ALL=(ALL) NOPASSWD: ${pkgs.input-remapper}/bin/input-remapper-control
        %wheel ALL=(ALL) NOPASSWD: ${pkgs.input-remapper}/bin/input-remapper-gtk
        %wheel ALL=(ALL) NOPASSWD: /run/wrappers/bin/systemctl restart display-manager
        %wheel ALL=(ALL) NOPASSWD: /home/wayne/.nix-profile/bin/journalctl -f
      '';
    };
  };

  age = {
    identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    secrets = {
      nextcloud = {
        file = ../secrets/nextcloud.age;
      };
      wayne = {
        file = ../secrets/whayes.age;
      };
      onlyoffice = {
        file = ../secrets/onlyoffice-jwt.age;
      };
      pia = {
        file = ../secrets/pia.age;
      };
      ff-sync = {
        file = ../secrets/ff-sync.age;
      };
    };
  };
}

  # security.pam.services.wayne.kwallet.enable = true;
  # security.pam.services.wayne.kwallet.package = pkgs.kdePackages.kwallet-pam;
  # security.pam.services.wayne.kwallet.package = pkgs.plasma5Packages.kwallet-pam;
First build 2024-10-14 18:35:04 -04:00			`{ pkgs, ... }:`
Initial Commit 2024-10-14 17:28:31 -04:00			`{`
Many Optimizations 2025-05-03 12:34:07 -04:00			`security = {`
			`polkit = {`
			`enable = true;`
			`debug = true;`
			`extraConfig = ''`
			`polkit.addRule(function (action, subject) {`
			`if (`
			`subject.isInGroup("users") &&`
			`[`
			`"org.freedesktop.login1.reboot",`
			`"org.freedesktop.login1.reboot-multiple-sessions",`
			`"org.freedesktop.login1.power-off",`
			`"org.freedesktop.login1.power-off-multiple-sessions",`
			`].indexOf(action.id) !== -1`
			`) {`
			`return polkit.Result.YES;`
			`}`
			`});`
			`polkit.addRule(function(action, subject) {`
			`var YES = polkit.Result.YES;`
			`var permission = {`
			`// required for udisks1:`
			`"org.freedesktop.udisks.filesystem-mount": YES,`
			`"org.freedesktop.udisks.luks-unlock": YES,`
			`"org.freedesktop.udisks.drive-eject": YES,`
			`"org.freedesktop.udisks.drive-detach": YES,`
			`// required for udisks2:`
			`"org.freedesktop.udisks2.filesystem-mount": YES,`
			`"org.freedesktop.udisks2.encrypted-unlock": YES,`
			`"org.freedesktop.udisks2.eject-media": YES,`
			`"org.freedesktop.udisks2.power-off-drive": YES,`
			`// required for udisks2 if using udiskie from another seat (e.g. systemd):`
			`"org.freedesktop.udisks2.filesystem-mount-other-seat": YES,`
			`"org.freedesktop.udisks2.filesystem-unmount-others": YES,`
			`"org.freedesktop.udisks2.encrypted-unlock-other-seat": YES,`
			`"org.freedesktop.udisks2.encrypted-unlock-system": YES,`
			`"org.freedesktop.udisks2.eject-media-other-seat": YES,`
			`"org.freedesktop.udisks2.power-off-drive-other-seat": YES`
			`};`
			`if (subject.isInGroup("storage")) {`
			`return permission[action.id];`
			`};`
			`});`
			`polkit.addRule(function(action, subject) {`
			`if (action.id == "org.kde.kio.admin.commands" && subject.isInGroup("wheel")) {`
			`return polkit.Result.YES; // No password prompt!`
			`}`
			`});`
			`polkit.addRule(function(action, subject) {`
			`// Make sure to set { security.polkit.debug = true; } in configuration.nix`
			`polkit.log("user " + subject.user + " is attempting action " + action.id + " from PID " + subject.pid);`
			`});`
			`'';`
			`adminIdentities = [`
			`"unix-group:wheel"`
			`];`
Second Build - Full Boat 2024-10-14 19:37:56 -04:00			`};`
First build 2024-10-14 18:35:04 -04:00
Many Optimizations 2025-05-03 12:34:07 -04:00			`pam.services = {`
			`login.kwallet = {`
			`enable = true;`
			`package = pkgs.kdePackages.kwallet-pam;`
			`};`
			`sddm = {`
			`enableKwallet = true;`
			`text = ''`
			`# Enable pam_kwallet5 for sddm`
			`auth optional pam_kwallet5.so`
			`session optional pam_kwallet5.so auto_start`
			`'';`
			`};`
			`};`

			`rtkit.enable = true;`
First build 2024-10-14 18:35:04 -04:00
Many Optimizations 2025-05-03 12:34:07 -04:00			`sudo = {`
			`enable = true;`
			`extraConfig = ''`
			`%wheel ALL=(ALL) NOPASSWD: ${pkgs.input-remapper}/bin/input-remapper-service`
			`%wheel ALL=(ALL) NOPASSWD: ${pkgs.input-remapper}/bin/input-remapper-control`
			`%wheel ALL=(ALL) NOPASSWD: ${pkgs.input-remapper}/bin/input-remapper-gtk`
			`%wheel ALL=(ALL) NOPASSWD: /run/wrappers/bin/systemctl restart display-manager`
			`%wheel ALL=(ALL) NOPASSWD: /home/wayne/.nix-profile/bin/journalctl -f`
			`'';`
			`};`
First build 2024-10-14 18:35:04 -04:00			`};`

Containers and Refinements Oh my 2024-11-01 12:04:24 -04:00			`age = {`
PIA w/agenix added. 2024-12-03 13:21:22 -05:00			`identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];`
Containers and Refinements Oh my 2024-11-01 12:04:24 -04:00			`secrets = {`
			`nextcloud = {`
			`file = ../secrets/nextcloud.age;`
			`};`
			`wayne = {`
			`file = ../secrets/whayes.age;`
			`};`
			`onlyoffice = {`
			`file = ../secrets/onlyoffice-jwt.age;`
			`};`
PIA w/agenix added. 2024-12-03 13:21:22 -05:00			`pia = {`
			`file = ../secrets/pia.age;`
			`};`
Many Optimizations 2025-05-03 12:34:07 -04:00			`ff-sync = {`
			`file = ../secrets/ff-sync.age;`
			`};`
Containers and Refinements Oh my 2024-11-01 12:04:24 -04:00			`};`
			`};`
Misnux added. 2024-11-29 18:31:17 -05:00			`}`
Many Optimizations 2025-05-03 12:34:07 -04:00
			`# security.pam.services.wayne.kwallet.enable = true;`
			`# security.pam.services.wayne.kwallet.package = pkgs.kdePackages.kwallet-pam;`
			`# security.pam.services.wayne.kwallet.package = pkgs.plasma5Packages.kwallet-pam;`