| blob | 3db9e0ac445861ad3413ecf6c546c3c70f5b52bc |
1 { config, lib, pkgs, ... }:
3 with lib;
5 let
6 cfg = config.services.physlock;
7 in
9 {
11 ###### interface
13 options = {
15 services.physlock = {
17 enable = mkOption {
18 type = types.bool;
19 default = false;
20 description = lib.mdDoc ''
21 Whether to enable the {command}`physlock` screen locking mechanism.
23 Enable this and then run {command}`systemctl start physlock`
24 to securely lock the screen.
26 This will switch to a new virtual terminal, turn off console
27 switching and disable SysRq mechanism (when
28 {option}`services.physlock.disableSysRq` is set)
29 until the root or user password is given.
30 '';
31 };
33 allowAnyUser = mkOption {
34 type = types.bool;
35 default = false;
36 description = lib.mdDoc ''
37 Whether to allow any user to lock the screen. This will install a
38 setuid wrapper to allow any user to start physlock as root, which
39 is a minor security risk. Call the physlock binary to use this instead
40 of using the systemd service.
41 '';
42 };
44 disableSysRq = mkOption {
45 type = types.bool;
46 default = true;
47 description = lib.mdDoc ''
48 Whether to disable SysRq when locked with physlock.
49 '';
50 };
52 lockMessage = mkOption {
53 type = types.str;
54 default = "";
55 description = lib.mdDoc ''
56 Message to show on physlock login terminal.
57 '';
58 };
60 lockOn = {
62 suspend = mkOption {
63 type = types.bool;
64 default = true;
65 description = lib.mdDoc ''
66 Whether to lock screen with physlock just before suspend.
67 '';
68 };
70 hibernate = mkOption {
71 type = types.bool;
72 default = true;
73 description = lib.mdDoc ''
74 Whether to lock screen with physlock just before hibernate.
75 '';
76 };
78 extraTargets = mkOption {
79 type = types.listOf types.str;
80 default = [];
81 example = [ "display-manager.service" ];
82 description = lib.mdDoc ''
83 Other targets to lock the screen just before.
85 Useful if you want to e.g. both autologin to X11 so that
86 your {file}`~/.xsession` gets executed and
87 still to have the screen locked so that the system can be
88 booted relatively unattended.
89 '';
90 };
92 };
94 };
96 };
99 ###### implementation
101 config = mkIf cfg.enable (mkMerge [
102 {
104 # for physlock -l and physlock -L
105 environment.systemPackages = [ pkgs.physlock ];
107 systemd.services.physlock = {
108 enable = true;
109 description = "Physlock";
110 wantedBy = optional cfg.lockOn.suspend "suspend.target"
111 ++ optional cfg.lockOn.hibernate "hibernate.target"
112 ++ cfg.lockOn.extraTargets;
113 before = optional cfg.lockOn.suspend "systemd-suspend.service"
114 ++ optional cfg.lockOn.hibernate "systemd-hibernate.service"
115 ++ optional (cfg.lockOn.hibernate || cfg.lockOn.suspend) "systemd-suspend-then-hibernate.service"
116 ++ cfg.lockOn.extraTargets;
117 serviceConfig = {
118 Type = "forking";
119 ExecStart = "${pkgs.physlock}/bin/physlock -d${optionalString cfg.disableSysRq "s"}${optionalString (cfg.lockMessage != "") " -p \"${cfg.lockMessage}\""}";
120 };
121 };
123 security.pam.services.physlock = {};
125 }
127 (mkIf cfg.allowAnyUser {
129 security.wrappers.physlock =
130 { setuid = true;
131 owner = "root";
132 group = "root";
133 source = "${pkgs.physlock}/bin/physlock";
134 };
136 })
137 ]);
139 }