system/modules/security.nix

{ pkgs, ... }:
{
    security.polkit = {
    enable = true;
    extraConfig = ''
      polkit.addRule(function (action, subject) {
        if (
          subject.isInGroup("users") &&
          [
            "org.freedesktop.login1.reboot",
            "org.freedesktop.login1.reboot-multiple-sessions",
            "org.freedesktop.login1.power-off",
            "org.freedesktop.login1.power-off-multiple-sessions",
          ].indexOf(action.id) !== -1
        ) {
          return polkit.Result.YES;
        }
      });
      polkit.addRule(function(action, subject) {
        var YES = polkit.Result.YES;
        var permission = {
          // required for udisks1:
          "org.freedesktop.udisks.filesystem-mount": YES,
          "org.freedesktop.udisks.luks-unlock": YES,
          "org.freedesktop.udisks.drive-eject": YES,
          "org.freedesktop.udisks.drive-detach": YES,
          // required for udisks2:
          "org.freedesktop.udisks2.filesystem-mount": YES,
          "org.freedesktop.udisks2.encrypted-unlock": YES,
          "org.freedesktop.udisks2.eject-media": YES,
          "org.freedesktop.udisks2.power-off-drive": YES,
          // required for udisks2 if using udiskie from another seat (e.g. systemd):
          "org.freedesktop.udisks2.filesystem-mount-other-seat": YES,
          "org.freedesktop.udisks2.filesystem-unmount-others": YES,
          "org.freedesktop.udisks2.encrypted-unlock-other-seat": YES,
          "org.freedesktop.udisks2.encrypted-unlock-system": YES,
          "org.freedesktop.udisks2.eject-media-other-seat": YES,
          "org.freedesktop.udisks2.power-off-drive-other-seat": YES
        };
        if (subject.isInGroup("storage")) {
          return permission[action.id];
        }
      });
    '';
  };

  security.pam.services = {
   login.enableKwallet = true;
   login.kwallet = {
     enable = true;
     package = pkgs.plasma5Packages.kwallet-pam;
   };
  sddm = {
    enableKwallet = true;
    text = ''
      # Enable pam_kwallet5 for sddm
      auth      optional      pam_kwallet5.so
      session   optional      pam_kwallet5.so auto_start
    '';
    };
  };
  security.pam.services.wayne.kwallet.enable = true;
  security.pam.services.wayne.kwallet.package = pkgs.plasma5Packages.kwallet-pam;

  security.rtkit.enable = true;

  security.sudo = {
    enable = true;
    extraConfig = ''
      %wheel ALL=(ALL) NOPASSWD: ${pkgs.input-remapper}/bin/input-remapper-service
      %wheel ALL=(ALL) NOPASSWD: ${pkgs.input-remapper}/bin/input-remapper-control
    '';
  };

    # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  # programs.gnupg.agent = {
  #   enable = true;
  #   enableSSHSupport = true;
  # };
}
First build 2024-10-14 18:35:04 -04:00			`{ pkgs, ... }:`
Initial Commit 2024-10-14 17:28:31 -04:00			`{`
First build 2024-10-14 18:35:04 -04:00			`security.polkit = {`
			`enable = true;`
			`extraConfig = ''`
			`polkit.addRule(function (action, subject) {`
			`if (`
			`subject.isInGroup("users") &&`
			`[`
			`"org.freedesktop.login1.reboot",`
			`"org.freedesktop.login1.reboot-multiple-sessions",`
			`"org.freedesktop.login1.power-off",`
			`"org.freedesktop.login1.power-off-multiple-sessions",`
			`].indexOf(action.id) !== -1`
			`) {`
			`return polkit.Result.YES;`
			`}`
			`});`
			`polkit.addRule(function(action, subject) {`
			`var YES = polkit.Result.YES;`
			`var permission = {`
			`// required for udisks1:`
			`"org.freedesktop.udisks.filesystem-mount": YES,`
			`"org.freedesktop.udisks.luks-unlock": YES,`
			`"org.freedesktop.udisks.drive-eject": YES,`
			`"org.freedesktop.udisks.drive-detach": YES,`
			`// required for udisks2:`
			`"org.freedesktop.udisks2.filesystem-mount": YES,`
			`"org.freedesktop.udisks2.encrypted-unlock": YES,`
			`"org.freedesktop.udisks2.eject-media": YES,`
			`"org.freedesktop.udisks2.power-off-drive": YES,`
			`// required for udisks2 if using udiskie from another seat (e.g. systemd):`
			`"org.freedesktop.udisks2.filesystem-mount-other-seat": YES,`
			`"org.freedesktop.udisks2.filesystem-unmount-others": YES,`
			`"org.freedesktop.udisks2.encrypted-unlock-other-seat": YES,`
			`"org.freedesktop.udisks2.encrypted-unlock-system": YES,`
			`"org.freedesktop.udisks2.eject-media-other-seat": YES,`
			`"org.freedesktop.udisks2.power-off-drive-other-seat": YES`
			`};`
			`if (subject.isInGroup("storage")) {`
			`return permission[action.id];`
			`}`
			`});`
			`'';`
			`};`
Initial Commit 2024-10-14 17:28:31 -04:00
Second Build - Full Boat 2024-10-14 19:37:56 -04:00			`security.pam.services = {`
			`login.enableKwallet = true;`
			`login.kwallet = {`
			`enable = true;`
			`package = pkgs.plasma5Packages.kwallet-pam;`
			`};`
			`sddm = {`
			`enableKwallet = true;`
			`text = ''`
			`# Enable pam_kwallet5 for sddm`
			`auth optional pam_kwallet5.so`
			`session optional pam_kwallet5.so auto_start`
			`'';`
			`};`
			`};`
			`security.pam.services.wayne.kwallet.enable = true;`
			`security.pam.services.wayne.kwallet.package = pkgs.plasma5Packages.kwallet-pam;`
First build 2024-10-14 18:35:04 -04:00
			`security.rtkit.enable = true;`

			`security.sudo = {`
			`enable = true;`
			`extraConfig = ''`
			`%wheel ALL=(ALL) NOPASSWD: ${pkgs.input-remapper}/bin/input-remapper-service`
			`%wheel ALL=(ALL) NOPASSWD: ${pkgs.input-remapper}/bin/input-remapper-control`
			`'';`
			`};`

			`# Some programs need SUID wrappers, can be configured further or are`
			`# started in user sessions.`
			`# programs.mtr.enable = true;`
			`# programs.gnupg.agent = {`
			`# enable = true;`
			`# enableSSHSupport = true;`
			`# };`
Initial Commit 2024-10-14 17:28:31 -04:00			`}`