summaryrefslogtreecommitdiff
path: root/machines
diff options
context:
space:
mode:
authorBen Sima <ben@bsima.me>2022-02-01 22:23:13 -0500
committerBen Sima <ben@bsima.me>2022-02-01 22:23:13 -0500
commitd61fc3da96fb2cbc44f39f58ad6bbfe7001b6c81 (patch)
tree94e150e90b8ad974a814d5459055fe7d90576bd0 /machines
parent3c98890752eeb27730a42514cfc2cc5d90cf7c9f (diff)
lock when yubikey is removed
Took me forever but I figured out how to use udev rules to give xautolock permission to see the yubi when unlocking. Also triggers a systemd service that locks the screen when yubi is removed. I couldn't do this directly in a udev RUN becaues udev sucks at running programs as different users and with environment variables and such. This is still a bit buggy, I seem to consistently need to authenticate twice when unlocking, but I think that would be fixed if I get rid of the serviceConfig.User thing with some fancy scripting. And as a backup, added Super+Shift+L for manual locking.
Diffstat (limited to 'machines')
-rw-r--r--machines/helium.nix31
1 files changed, 28 insertions, 3 deletions
diff --git a/machines/helium.nix b/machines/helium.nix
index 564dd28..b0bcf64 100644
--- a/machines/helium.nix
+++ b/machines/helium.nix
@@ -47,6 +47,7 @@ in {
yubioath-desktop
yubico-pam
yubikey-manager
+ yubikey-personalization
];
nixpkgs = {
@@ -107,10 +108,12 @@ in {
xserver.desktopManager.xterm.enable = true;
xserver.xautolock.enable = true;
+ xserver.xautolock.locker = "${pkgs.xlockmore}/bin/xlock";
+ xserver.xautolock.nowlocker = "${pkgs.xlockmore}/bin/xlock"; # xautolock -locknow
+ xserver.xautolock.time = 5; # minutes
xserver.xautolock.enableNotifier = true;
- xserver.xautolock.notifier = "${pkgs.libnotify}/bin/notify-send 'locking in 10 seconds'";
- xserver.xautolock.nowlocker = "${pkgs.i3lock}/bin/i3lock --color=000000 --show-failed-attempts --ignore-empty-password";
- xserver.xautolock.locker = "${pkgs.i3lock}/bin/i3lock --color=000000 --show-failed-attempts --ignore-empty-password";
+ xserver.xautolock.notify = 30; # seconds
+ xserver.xautolock.notifier = ''${pkgs.libnotify}/bin/notify-send "Locking in 30 seconds"'';
vnstat.enable = true;
@@ -118,6 +121,28 @@ in {
fail2ban.enable = true;
clamav.daemon.enable = true;
clamav.updater.enable = true;
+
+ udev.extraRules = ''
+ # allows xlock to read the yubikey for challenge-response when unlocking.
+ # you need to do 'udevadm control --reload && udevadm trigger' after
+ # changing this. 'ykinfo -v' without sudo should work.
+ ACTION!="add|change", GOTO="yubico_end", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0403|0405|0407|0410", OWNER="ben", MODE="0600"
+ LABEL="yubico_end"
+
+ # when yubi is removed, activate yubilock
+ ACTION=="remove", ENV{ID_BUS}=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0407", ENV{ID_SERIAL}="Yubico_Yubikey_4_OTP+U2F+CCID", RUN+="${pkgs.systemd}/bin/systemctl start yubilock"
+ '';
+ };
+ systemd.services = {
+ "yubilock" = {
+ script = "xlock";
+ path = [ pkgs.xlockmore ];
+ wantedBy = ["dummy.device"]; # i have to provide a WantedBy
+ environment = { DISPLAY = ":0"; };
+ # i think i can get rid of user if I use this script:
+ # https://0day.work/locking-the-screen-when-removing-a-yubikey/
+ serviceConfig.User = "ben";
+ };
};
# Use the systemd-boot EFI boot loader.